31a7f78871a4d57dadfdaba00a77436f395619ee49084bac4fd3e57b2d306087

Resubmissions

25/04/2023, 16:32

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/04/2023, 16:32

Target

Claim_C856.wsf
Size

95KB
MD5

b9803ab344fda06c35564abc686e41ca
SHA1

af3ed285c5359919d1470134264be7d546f9a02f
SHA256

31a7f78871a4d57dadfdaba00a77436f395619ee49084bac4fd3e57b2d306087
SHA512

b8b748eb4c003aeda928f8e5118e6bdb07c635efd7b17047a9c0183c83a22fb8beee6a7e427eeda950e6bab2e5e867978e100c90ae77cb6a15afe24e4410bafc
SSDEEP

1536:63DbXLN16gq3NlDhxN16gJcN16giU9IZTb0GW741rtr8wsr+BFa7z8hiKtlDJK9I:qbXLNFq3NlDHNFJcNFiU9Ix0LEOwsSBX

Score

10^/10

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	764	rundll32.exe	30

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2036	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Claim_C856.wsf"
1⤵
- Blocklisted process makes network request
PID:2036

C:\Windows\SysWOW64\rundll32.exe
C:\\Windows\\SysWOW64\\rundll32.exe C:\ProgramData\arDVEuoJ5ngSbkhI.tmp,Motd
1⤵
- Process spawned unexpected child process
PID:1796

C:\ProgramData\arDVEuoJ5ngSbkhI.tmp

Filesize
564B

MD5
4dec45889e09ec3ceb63fd65825d0f11

SHA1
d80eaf048573a410cb6c49ebb859280d04b6113c

SHA256
cab538fd1647961eb35348c1bd84e1fde389ad89672587d2fe3c007a0bc9e67f

SHA512
6ba9cc945b78b1c1f7b80a2bc3c0d48d3e1c5fc2a481fada4e9018622664fb7423623b3563a6236bf105621e4a907a9957af421ef67783f3dc1194b9bc308c7b

Download Submit