e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62

Resubmissions

21-04-2024 20:52

19-04-2024 15:44

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-04-2024 20:52

Target

FA Installer.bat
Size

42KB
MD5

ac48f9875234a4e5649d152672903198
SHA1

6795362296194a79770a385a1a81efa89c6fe203
SHA256

e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62
SHA512

b5a8cf484eca8afde45a78b6768970a3ccd9f4731f4f9a227ac22e02cb3c9c158c8221c136fef191ce9967b2b4bc8c7f4aa6a4310e04dc5e3e5b8b7fc712df44
SSDEEP

768:lnwnjP9zogqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iA0:FI89nf9tUc+nuxGIFwyKhTf+r0

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 2140	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2140	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2140	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2672	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2672	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2672	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2724	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2724	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2724	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2560	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2560	1752	cmd.exe	WScript.exe
PID 1752 wrote to memory of 2560	1752	cmd.exe	WScript.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\FA Installer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"
  2⤵
  PID:2140
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"
  2⤵
  PID:2672
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"
  2⤵
  PID:2724
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"
  2⤵
  PID:2560

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\FA_Antivira\FAinfo1.vbs

Filesize
84B

MD5
fad7cd2a49837444cde4548abdf478b6

SHA1
376a4ff6acc6ca44f2b660286633c5a31eddd764

SHA256
9c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda

SHA512
287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5

Download Submit
C:\FA_Antivira\FAinfo2.vbs

Filesize
87B

MD5
5a1fc5e5db483c5926a50ee931581cd9

SHA1
419644277a92e109d4ce6739a0d5e2d0ba8f2d42

SHA256
0f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab

SHA512
0351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240

Download Submit
C:\FA_Antivira\FAinfo3.vbs

Filesize
71B

MD5
a61c87927d31edff281df2818dde924d

SHA1
f076867cb0411e0c584f2f9052d4c1e550cd53b7

SHA256
9220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517

SHA512
ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970

Download Submit
C:\FA_Antivira\FAinfo4.vbs

Filesize
97B

MD5
d912098669bc85cc04cccf0248617120

SHA1
a817741d0ce4427cf0a0fceb7ba483972789fc60

SHA256
e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422

SHA512
578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48

Download Submit