dbe0264fd8e76e8670cfbf5c66b414785a2b9658b0c0a7904db20e72539fb8d6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 08:41

Target

code.vbs
Size

87B
MD5

43b11db409975f300f3f7197851d8c3b
SHA1

c44d1c5dc8c91af2840aa184f5b59b37373dd405
SHA256

dbe0264fd8e76e8670cfbf5c66b414785a2b9658b0c0a7904db20e72539fb8d6
SHA512

43355d3b6ecd4fa531fac193be6bce85f484906d3b158d962ffea5bea59868109a860820bf186961d215ed553d116d2900d670d5b09405a6be0593bf4416b256

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1628	2340	WScript.exe	28
PID 2340 wrote to memory of 1628	2340	WScript.exe	28
PID 2340 wrote to memory of 1628	2340	WScript.exe	28

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c del C:\Windows\System32
  2⤵
  PID:1628

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact