Analysis Overview
SHA256
4a929263e46f217558b7085c3b62527408a58dbfa94f53405eb10c2546bf93dd
Threat Level: Known bad
The file Accelya NDC SPRK Platform.vbs was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Enumerates physical storage devices
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:17
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:17
Reported
2024-08-25 09:19
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
103s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Enumerates physical storage devices
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK Platform.vbs"
C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK Platform.vbs.exe" /Y
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK Platform.vbs.exe
| MD5 | c32ca4acfcc635ec1ea6ed8a34df5fac |
| SHA1 | f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919 |
| SHA256 | 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70 |
| SHA512 | 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:17
Reported
2024-08-25 09:19
Platform
win7-20240704-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\cmd.exe |
Enumerates physical storage devices
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK Platform.vbs"
C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK Platform.vbs.exe" /Y
Network
Files
C:\Users\Admin\AppData\Local\Temp\Accelya NDC SPRK Platform.vbs.exe
| MD5 | 92f44e405db16ac55d97e3bfe3b132fa |
| SHA1 | 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d |
| SHA256 | 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 |
| SHA512 | f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f |