859dab460382b4b7a805a3a6b32e198b92d1ae3e18c22934fd8deeefe52a5d74 | Triage

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-05-2023 15:47

Sharing

Report Analysis Logs

General

Target

Claim_C039.wsf
Size

66KB
MD5

d5450a71c48f8ff148f3440e125ae7dc
SHA1

512b6fb461d575df7f4e1f2f1114c6ad195d2e7b
SHA256

859dab460382b4b7a805a3a6b32e198b92d1ae3e18c22934fd8deeefe52a5d74
SHA512

d0eb36c5cc2d3c1b91c3427c6e6f3e663d08ef6408b1b1c91b5894ab55114d2f2192661c1f0aa0e8dd4fbd6c583ee008325aa8b0f0eeeffc48218be5f476b151
SSDEEP

1536:IaBFZc8npNU8nVP+R2mrPk59sKK2xFMLfxv0:TjHQVH2Yfq

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1552	conhost.exe	29

Blocklisted process makes network request 9 IoCs

flow	pid	Process
3	972	WScript.exe
5	972	WScript.exe
6	972	WScript.exe
7	972	WScript.exe
8	972	WScript.exe
9	972	WScript.exe
10	972	WScript.exe
11	972	WScript.exe
12	972	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Claim_C039.wsf"
1⤵
- Blocklisted process makes network request
PID:972

C:\Windows\system32\conhost.exe
conhost.exe rundll32.exe C:\Users\Public\aXPbq2L4NcCZ19fu.dat,bind
1⤵
- Process spawned unexpected child process
PID:1136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads