98a90912b0248bb92b56ef2d36dae84cedccee87342ac0342b571af44ccdf085

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
27/11/2023, 11:16

Target

brave.vbs
Size

4KB
MD5

b375f095bb00bcf3881929860a94c23b
SHA1

166d303afd6ee436ff78ac5b31ce12b6bfd5dd36
SHA256

fa37cc67fae3dc9ec9e14f11c08b4b9f83749f465770bed54969e867f78715d6
SHA512

6965ec1a64d911b9ef7298cb7f386d39a1c4fc105f0b0acb4f6cdf87d94d31af4208613047f7aa5d9275699854cd923feddb59f32b9131387609252ab09a45cc
SSDEEP

48:/XmDGg/zzzzzzzzzzzzA8K9ht8Q4OmWBhJWDyCnveaF:qK9ht8QQWu79F

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2572	2236	WScript.exe	28
PID 2236 wrote to memory of 2572	2236	WScript.exe	28
PID 2236 wrote to memory of 2572	2236	WScript.exe	28
PID 2572 wrote to memory of 2680	2572	net.exe	30
PID 2572 wrote to memory of 2680	2572	net.exe	30
PID 2572 wrote to memory of 2680	2572	net.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\brave.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\net.exe
  "C:\Windows\System32\net.exe" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2680

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact