b61dc0a8f7b623a442a91b436a043164fe52d4bf0b23de44377e8139cbf095da

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.vbs
Size

1KB
MD5

591c4c5bc71250e1c02a46617ad9347d
SHA1

37615bf7bc38b5dc32888c5938e19a99abafba44
SHA256

b61dc0a8f7b623a442a91b436a043164fe52d4bf0b23de44377e8139cbf095da
SHA512

d95a2c26a74a49a9688cc307edbe0d1619f040a2a28e26b029f6a1bb5bd5cb12d11e1cd76b8b4396311164f1dac56a1ccceee5f97bc344462f70c39fdb0cedcb

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2992	2324	WScript.exe	28
PID 2324 wrote to memory of 2992	2324	WScript.exe	28
PID 2324 wrote to memory of 2992	2324	WScript.exe	28
PID 2992 wrote to memory of 2648	2992	WScript.exe	29
PID 2992 wrote to memory of 2648	2992	WScript.exe	29
PID 2992 wrote to memory of 2648	2992	WScript.exe	29
PID 2648 wrote to memory of 1472	2648	WScript.exe	30
PID 2648 wrote to memory of 1472	2648	WScript.exe	30
PID 2648 wrote to memory of 1472	2648	WScript.exe	30
PID 1472 wrote to memory of 2444	1472	WScript.exe	31
PID 1472 wrote to memory of 2444	1472	WScript.exe	31
PID 1472 wrote to memory of 2444	1472	WScript.exe	31
PID 2444 wrote to memory of 2532	2444	WScript.exe	32
PID 2444 wrote to memory of 2532	2444	WScript.exe	32
PID 2444 wrote to memory of 2532	2444	WScript.exe	32
PID 2532 wrote to memory of 2496	2532	WScript.exe	33
PID 2532 wrote to memory of 2496	2532	WScript.exe	33
PID 2532 wrote to memory of 2496	2532	WScript.exe	33
PID 2496 wrote to memory of 1668	2496	WScript.exe	34
PID 2496 wrote to memory of 1668	2496	WScript.exe	34
PID 2496 wrote to memory of 1668	2496	WScript.exe	34
PID 1668 wrote to memory of 2676	1668	WScript.exe	35
PID 1668 wrote to memory of 2676	1668	WScript.exe	35
PID 1668 wrote to memory of 2676	1668	WScript.exe	35
PID 2676 wrote to memory of 2788	2676	WScript.exe	36
PID 2676 wrote to memory of 2788	2676	WScript.exe	36
PID 2676 wrote to memory of 2788	2676	WScript.exe	36
PID 2788 wrote to memory of 1764	2788	WScript.exe	37
PID 2788 wrote to memory of 1764	2788	WScript.exe	37
PID 2788 wrote to memory of 1764	2788	WScript.exe	37
PID 1764 wrote to memory of 2304	1764	WScript.exe	38
PID 1764 wrote to memory of 2304	1764	WScript.exe	38
PID 1764 wrote to memory of 2304	1764	WScript.exe	38
PID 2304 wrote to memory of 1204	2304	WScript.exe	39
PID 2304 wrote to memory of 1204	2304	WScript.exe	39
PID 2304 wrote to memory of 1204	2304	WScript.exe	39
PID 1204 wrote to memory of 1244	1204	WScript.exe	40
PID 1204 wrote to memory of 1244	1204	WScript.exe	40
PID 1204 wrote to memory of 1244	1204	WScript.exe	40
PID 1244 wrote to memory of 2244	1244	WScript.exe	41
PID 1244 wrote to memory of 2244	1244	WScript.exe	41
PID 1244 wrote to memory of 2244	1244	WScript.exe	41
PID 2244 wrote to memory of 2092	2244	WScript.exe	42
PID 2244 wrote to memory of 2092	2244	WScript.exe	42
PID 2244 wrote to memory of 2092	2244	WScript.exe	42
PID 2092 wrote to memory of 2780	2092	WScript.exe	43
PID 2092 wrote to memory of 2780	2092	WScript.exe	43
PID 2092 wrote to memory of 2780	2092	WScript.exe	43
PID 2780 wrote to memory of 704	2780	WScript.exe	44
PID 2780 wrote to memory of 704	2780	WScript.exe	44
PID 2780 wrote to memory of 704	2780	WScript.exe	44
PID 704 wrote to memory of 1052	704	WScript.exe	45
PID 704 wrote to memory of 1052	704	WScript.exe	45
PID 704 wrote to memory of 1052	704	WScript.exe	45
PID 1052 wrote to memory of 1796	1052	WScript.exe	46
PID 1052 wrote to memory of 1796	1052	WScript.exe	46
PID 1052 wrote to memory of 1796	1052	WScript.exe	46
PID 1796 wrote to memory of 1996	1796	WScript.exe	47
PID 1796 wrote to memory of 1996	1796	WScript.exe	47
PID 1796 wrote to memory of 1996	1796	WScript.exe	47
PID 1996 wrote to memory of 1460	1996	WScript.exe	48
PID 1996 wrote to memory of 1460	1996	WScript.exe	48
PID 1996 wrote to memory of 1460	1996	WScript.exe	48
PID 1460 wrote to memory of 1520	1460	WScript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_run.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_run.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_run.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1472
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        23⤵
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        24⤵
        
        PID:1744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        25⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        26⤵
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        27⤵
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_Copy_of_run.vbs"
        28⤵
        
        PID:1432

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Copy_of_run.vbs

Filesize
1KB

MD5
591c4c5bc71250e1c02a46617ad9347d

SHA1
37615bf7bc38b5dc32888c5938e19a99abafba44

SHA256
b61dc0a8f7b623a442a91b436a043164fe52d4bf0b23de44377e8139cbf095da

SHA512
d95a2c26a74a49a9688cc307edbe0d1619f040a2a28e26b029f6a1bb5bd5cb12d11e1cd76b8b4396311164f1dac56a1ccceee5f97bc344462f70c39fdb0cedcb

Download Submit