ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3

General

Target

VBS_ae2d789d5592459429702cd490a2bf16.4
Sample

191122-1ysqefrxt2
SHA256

ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 1092	1088	WScript.exe	26
PID 1092 wrote to memory of 1972	1092	wscript.exe	27
PID 1972 wrote to memory of 1456	1972	wscript.exe	28
PID 1456 wrote to memory of 852	1456	wscript.exe	29
PID 852 wrote to memory of 1300	852	wscript.exe	30
PID 1300 wrote to memory of 1952	1300	wscript.exe	31
PID 1952 wrote to memory of 1784	1952	wscript.exe	32
PID 1784 wrote to memory of 832	1784	wscript.exe	33
PID 832 wrote to memory of 1324	832	wscript.exe	34
PID 1324 wrote to memory of 316	1324	wscript.exe	35
PID 316 wrote to memory of 752	316	wscript.exe	36
PID 752 wrote to memory of 1312	752	wscript.exe	37
PID 1312 wrote to memory of 1944	1312	wscript.exe	38
PID 1944 wrote to memory of 1276	1944	wscript.exe	39
PID 1276 wrote to memory of 288	1276	wscript.exe	40
PID 288 wrote to memory of 1384	288	wscript.exe	41
PID 1384 wrote to memory of 1316	1384	wscript.exe	42
PID 1316 wrote to memory of 1948	1316	wscript.exe	43
PID 1948 wrote to memory of 2020	1948	wscript.exe	44
PID 2020 wrote to memory of 1536	2020	wscript.exe	45
PID 1536 wrote to memory of 1928	1536	wscript.exe	46
PID 1928 wrote to memory of 736	1928	wscript.exe	47
PID 736 wrote to memory of 1940	736	wscript.exe	48
PID 1940 wrote to memory of 2028	1940	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-15-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/316-10-0x00000000029E0000-0x00000000029E4000-memory.dmp

Filesize
16KB

Download
memory/736-22-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/752-11-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download
memory/832-8-0x0000000002710000-0x0000000002714000-memory.dmp

Filesize
16KB

Download
memory/852-4-0x00000000029F0000-0x00000000029F4000-memory.dmp

Filesize
16KB

Download
memory/1088-0-0x00000000027D0000-0x00000000027D4000-memory.dmp

Filesize
16KB

Download
memory/1092-1-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/1276-14-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/1300-5-0x00000000027D0000-0x00000000027D4000-memory.dmp

Filesize
16KB

Download
memory/1312-12-0x00000000029E0000-0x00000000029E4000-memory.dmp

Filesize
16KB

Download
memory/1316-17-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download
memory/1324-9-0x00000000029F0000-0x00000000029F4000-memory.dmp

Filesize
16KB

Download
memory/1384-16-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download
memory/1456-3-0x0000000002990000-0x0000000002994000-memory.dmp

Filesize
16KB

Download
memory/1536-20-0x00000000029E0000-0x00000000029E4000-memory.dmp

Filesize
16KB

Download
memory/1784-7-0x00000000029C0000-0x00000000029C4000-memory.dmp

Filesize
16KB

Download
memory/1928-21-0x0000000002990000-0x0000000002994000-memory.dmp

Filesize
16KB

Download
memory/1940-23-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/1944-13-0x0000000002900000-0x0000000002904000-memory.dmp

Filesize
16KB

Download
memory/1948-18-0x0000000002A30000-0x0000000002A34000-memory.dmp

Filesize
16KB

Download
memory/1952-6-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/1972-2-0x0000000002800000-0x0000000002804000-memory.dmp

Filesize
16KB

Download
memory/2020-19-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads