Extracted

• • Target

    lnvoice-1129374589pdf.vbs

  • Size

    2KB

  • MD5

    b3183c5fe842266103ad470b285015d9

  • SHA1

    52e19cc1e888ae97b34ac3bf3b81fd713edeb2db

  • SHA256

    9ef6905558a6d20b3e358c68fe868535f8af6333d9345a0c8d5f421462fb657e

  • SHA512

    d36409806afbc8a4ce5eb08ffad386e440da7bbb0bed81adfbffc1cb2b0b98bd88ad9e62b57b05757003de1adcc4eb1bb70c59ae85fe60ab4a71c3be8be664b5

  Score

  10^/10

  collectionpersistence

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Drops startup file

  • Registers COM server for autorun

    persistence

  • Accesses Microsoft Outlook profiles

    collection

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2behavioral3