eac03f7bc83d42d686c55a12736a74086e1feada3ef4181f79c5435311a5358d

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-06-2023 18:26

Target

f.vbs
Size

346B
MD5

41e54b45d2ab4718156a2d978aeb2eaa
SHA1

b8f924f1fd50d3feba999029615ae6d2b47ecea7
SHA256

eac03f7bc83d42d686c55a12736a74086e1feada3ef4181f79c5435311a5358d
SHA512

96a51af6ebb69dc01971fef39a5e033417a02299080804a7062182f64be5b9c5ce0ac863397e34bfeca5a1b1c767883a4b6b3888e36e8f443ac0f1bb661e7727

Score

8^/10

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 1932 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1932 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1932 powershell.exe

flow	pid	process
3	1932	powershell.exe

pid	process
1932	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2044 wrote to memory of 1932	2044	WScript.exe	powershell.exe
PID 2044 wrote to memory of 1932	2044	WScript.exe	powershell.exe
PID 2044 wrote to memory of 1932	2044	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

memory/1932-58-0x000000001B050000-0x000000001B332000-memory.dmp

Filesize
2.9MB

Download
memory/1932-59-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1932-60-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1932-62-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1932-61-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/1932-63-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download