3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.13
Sample

191122-1ngfgl7man
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1820	1992	WScript.exe	26
PID 1820 wrote to memory of 1896	1820	wscript.exe	27
PID 1896 wrote to memory of 2016	1896	wscript.exe	28
PID 2016 wrote to memory of 1936	2016	wscript.exe	29
PID 1936 wrote to memory of 1812	1936	wscript.exe	30
PID 1812 wrote to memory of 1928	1812	wscript.exe	31
PID 1928 wrote to memory of 1452	1928	wscript.exe	32
PID 1452 wrote to memory of 1448	1452	wscript.exe	33
PID 1448 wrote to memory of 1104	1448	wscript.exe	34
PID 1104 wrote to memory of 928	1104	wscript.exe	35
PID 928 wrote to memory of 860	928	wscript.exe	36
PID 860 wrote to memory of 1460	860	wscript.exe	37
PID 1460 wrote to memory of 1376	1460	wscript.exe	38
PID 1376 wrote to memory of 924	1376	wscript.exe	39
PID 924 wrote to memory of 2040	924	wscript.exe	40
PID 2040 wrote to memory of 756	2040	wscript.exe	41
PID 756 wrote to memory of 1924	756	wscript.exe	42
PID 1924 wrote to memory of 1960	1924	wscript.exe	43
PID 1960 wrote to memory of 1964	1960	wscript.exe	44
PID 1964 wrote to memory of 1120	1964	wscript.exe	45
PID 1120 wrote to memory of 1796	1120	wscript.exe	46
PID 1796 wrote to memory of 1932	1796	wscript.exe	47
PID 1932 wrote to memory of 1344	1932	wscript.exe	48
PID 1344 wrote to memory of 1132	1344	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-16-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/860-11-0x00000000028E0000-0x00000000028E4000-memory.dmp

Filesize
16KB

Download
memory/924-14-0x0000000002A40000-0x0000000002A44000-memory.dmp

Filesize
16KB

Download
memory/928-10-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/1104-9-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1120-20-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/1344-23-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1376-13-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/1448-8-0x0000000002900000-0x0000000002904000-memory.dmp

Filesize
16KB

Download
memory/1452-7-0x0000000002800000-0x0000000002804000-memory.dmp

Filesize
16KB

Download
memory/1460-12-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/1796-21-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1812-5-0x00000000029F0000-0x00000000029F4000-memory.dmp

Filesize
16KB

Download
memory/1820-1-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/1896-2-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/1924-17-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/1928-6-0x0000000002800000-0x0000000002804000-memory.dmp

Filesize
16KB

Download
memory/1932-22-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/1936-4-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1960-18-0x0000000002980000-0x0000000002984000-memory.dmp

Filesize
16KB

Download
memory/1964-19-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/1992-0-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/2016-3-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/2040-15-0x0000000002A60000-0x0000000002A64000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads