d22ab4549b9f1a6ccdbb3371ab2e39b762ecfd34b1f9b022ae0ccc29b8709d2e

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 03:18

Target

FL-674681.vbs
Size

3KB
MD5

cab106d7952a5c11aef886e3f6f692b3
SHA1

9e0e0fab2abb794571ea9bd6b57e5daca3908ff7
SHA256

f114827bc079cf5a923f7e3ad74ef399aedf0225d23ea7039a3dd68866664340
SHA512

6f1f0b79ac0d5b1c7cf339eede9c4c22c63d6673e83bff040827cb09d94083dbb86898442c474bdf713de2fdda98fac7c893ab7d520cd6c8edb0c1c7c1561993

Score

8^/10

Blocklisted process makes network request 6 IoCs

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2360	2464	WScript.exe	28
PID 2464 wrote to memory of 2360	2464	WScript.exe	28
PID 2464 wrote to memory of 2360	2464	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FL-674681.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c call "C:\Users\Admin\AppData\Local\Temp\CxmWrBPhdmn.exe"
  2⤵
  PID:2360

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact