Analysis
-
max time kernel
110s -
max time network
120s -
resource
win7v191014
Task
task1
Sample
VBS_ae2d789d5592459429702cd490a2bf16.6.zip
Resource
win7v191014
0 signatures
Task
task2
Sample
VBS_ae2d789d5592459429702cd490a2bf16.6.zip
Resource
win10v191014
0 signatures
Task
task3
Sample
document7806.vbe.vbs
Resource
win7v191014
0 signatures
Task
task4
Sample
document7806.vbe.vbs
Resource
win10v191014
0 signatures
General
-
Target
VBS_ae2d789d5592459429702cd490a2bf16.6
-
Sample
191122-542c13s88x
-
SHA256
ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3
Score
N/A
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2032 wrote to memory of 1192 2032 WScript.exe 26 PID 1192 wrote to memory of 1364 1192 wscript.exe 27 PID 1364 wrote to memory of 1504 1364 wscript.exe 28 PID 1504 wrote to memory of 1652 1504 wscript.exe 29 PID 1652 wrote to memory of 1888 1652 wscript.exe 30 PID 1888 wrote to memory of 1072 1888 wscript.exe 31 PID 1072 wrote to memory of 752 1072 wscript.exe 32 PID 752 wrote to memory of 1996 752 wscript.exe 33 PID 1996 wrote to memory of 1752 1996 wscript.exe 34 PID 1752 wrote to memory of 1892 1752 wscript.exe 35 PID 1892 wrote to memory of 1096 1892 wscript.exe 36 PID 1096 wrote to memory of 1008 1096 wscript.exe 37 PID 1008 wrote to memory of 2004 1008 wscript.exe 38 PID 2004 wrote to memory of 2040 2004 wscript.exe 39 PID 2040 wrote to memory of 304 2040 wscript.exe 40 PID 304 wrote to memory of 1236 304 wscript.exe 41 PID 1236 wrote to memory of 1300 1236 wscript.exe 42 PID 1300 wrote to memory of 112 1300 wscript.exe 43 PID 112 wrote to memory of 2000 112 wscript.exe 44 PID 2000 wrote to memory of 1900 2000 wscript.exe 45 PID 1900 wrote to memory of 1392 1900 wscript.exe 46 PID 1392 wrote to memory of 1320 1392 wscript.exe 47 PID 1320 wrote to memory of 316 1320 wscript.exe 48 PID 316 wrote to memory of 2008 316 wscript.exe 49
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2032
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1192
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1364
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1504
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1652
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1888
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1072
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:752
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1996
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1752
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1892
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1096
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1008
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2004
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2040
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:304
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1236
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1300
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:112
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2000
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1900
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1392
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1320
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:316
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵PID:2008