Analysis
-
max time kernel
128s -
max time network
153s -
resource
win10v191014
Task
task1
Sample
VBS_ae2d789d5592459429702cd490a2bf16.4.zip
Resource
win7v191014
0 signatures
Task
task2
Sample
VBS_ae2d789d5592459429702cd490a2bf16.4.zip
Resource
win10v191014
0 signatures
Task
task3
Sample
document7806.vbe.vbs
Resource
win7v191014
0 signatures
Task
task4
Sample
document7806.vbe.vbs
Resource
win10v191014
0 signatures
General
-
Target
VBS_ae2d789d5592459429702cd490a2bf16.4
-
Sample
191122-1gtyphwx9s
-
SHA256
ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3
Score
N/A
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4960 wrote to memory of 5016 4960 WScript.exe 71 PID 5016 wrote to memory of 4232 5016 wscript.exe 74 PID 4232 wrote to memory of 332 4232 wscript.exe 75 PID 332 wrote to memory of 1804 332 wscript.exe 76 PID 1804 wrote to memory of 4500 1804 wscript.exe 77 PID 4500 wrote to memory of 3724 4500 wscript.exe 78 PID 3724 wrote to memory of 3788 3724 wscript.exe 79 PID 3788 wrote to memory of 4644 3788 wscript.exe 80 PID 4644 wrote to memory of 4664 4644 wscript.exe 81 PID 4664 wrote to memory of 4680 4664 wscript.exe 82 PID 4680 wrote to memory of 4376 4680 wscript.exe 83 PID 4376 wrote to memory of 64 4376 wscript.exe 84 PID 64 wrote to memory of 4208 64 wscript.exe 85 PID 4208 wrote to memory of 4220 4208 wscript.exe 86 PID 4220 wrote to memory of 2896 4220 wscript.exe 87 PID 2896 wrote to memory of 4812 2896 wscript.exe 88 PID 4812 wrote to memory of 712 4812 wscript.exe 89 PID 712 wrote to memory of 2608 712 wscript.exe 90 PID 2608 wrote to memory of 4832 2608 wscript.exe 91 PID 4832 wrote to memory of 4596 4832 wscript.exe 92 PID 4596 wrote to memory of 5000 4596 wscript.exe 93 PID 5000 wrote to memory of 5056 5000 wscript.exe 94 PID 5056 wrote to memory of 2840 5056 wscript.exe 96 PID 1876 wrote to memory of 1600 1876 SppExtComObj.exe 97 PID 2840 wrote to memory of 4532 2840 wscript.exe 98 -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 3872 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3872 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3872 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3872 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3872 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4164 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4164 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 3772 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 3772 svchost.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:4960
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___-1⤵
- Suspicious use of WriteProcessMemory
PID:5016
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4232
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1804
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4500
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:3724
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:3788
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4644
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4664
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4680
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4376
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:64
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4208
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4220
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2896
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4812
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:712
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2608
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4832
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4596
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:5000
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:5056
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:1876
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2840
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:1600
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵PID:4532
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3872
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4644
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4164
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:788
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:3772
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089