e129d7e093e1ab82b09c0b4d9c23f71ee8c50bff17ac9f9a2bc71fec053fd3e9 | Triage

Analysis

max time kernel
157s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 10:52

Sharing

Report Analysis Logs

General

Target

A104.wsf
Size

36KB
MD5

1e0d3efa1494049c07b56db8994f0682
SHA1

9145f291baac4e9542d19177186e338727780f17
SHA256

2f5fa112a3851103950f2aac5c58fe715e2e55277ed1e17edf556d00148dec06
SHA512

7c8437cc58c77777e645c11f110059a17fe437c72143bf24940c6e7497ae00b1fb8537675b584c75bc6972a086a0a8a3f2e2863fbc008f8fefc501bacecb260b
SSDEEP

768:LWp6iDX1ZOWeyrTbojkpRUj7BzU6QxIoohuTtwjA+p:W6W1ZOqb8iRUjFw66f8Zp

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2692	rundll32.exe	24

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3796	WScript.exe
8	3796	WScript.exe
10	3796	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A104.wsf"
1⤵
- Blocklisted process makes network request
PID:3796

C:\Windows\SysWOW64\rundll32.exe
C:\\Windows\\SysWOW64\\rundll32.exe C:\ProgramData\acogJqAR8nFYC7d.dat,Time
1⤵
- Process spawned unexpected child process
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads