e0337ebd14f0c75c94819081268d808982078b9b68151b83ba5c1e8a493f3c0b | Triage

Analysis

max time kernel
85s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2023, 10:51

Sharing

Report Analysis Logs

General

Target

002207799.wsf
Size

79KB
MD5

06cfea33119286aeed8b6319d6ea344c
SHA1

3f9e95f9cbbe99e8edadabc3a26aaf0ba1fda74d
SHA256

e0337ebd14f0c75c94819081268d808982078b9b68151b83ba5c1e8a493f3c0b
SHA512

22d3818ed7be01ba04e4b2c238ec4ddb3ee1c9b12bba67527c94903736b14a05c709c85e4cd43feb728f91bb067a0539088fe11ff6273665f0fe053b23121c0f
SSDEEP

1536:Hh1k2UjmwLzl0j+3DbdjI6MGWD+vMdMRM9lDC4:Hh1k2izuybyyo+VqlDC4

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4712	conhost.exe	15

Blocklisted process makes network request 6 IoCs

flow	pid	Process
7	4700	WScript.exe
18	4700	WScript.exe
21	4700	WScript.exe
46	4700	WScript.exe
47	4700	WScript.exe
48	4700	WScript.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4692	3456	conhost.exe	94
PID 3456 wrote to memory of 4692	3456	conhost.exe	94

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\002207799.wsf"
1⤵
- Blocklisted process makes network request
PID:4700

C:\Windows\system32\conhost.exe
conhost.exe rundll32.exe C:\Users\Public\aFNXhYmvnKokC9.dat,bind
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Public\aFNXhYmvnKokC9.dat,bind
  2⤵
  PID:4692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads