ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3

General

Target

VBS_ae2d789d5592459429702cd490a2bf16.12
Sample

191122-62g8tz5a6j
SHA256

ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1388	2044	WScript.exe	26
PID 1388 wrote to memory of 1444	1388	wscript.exe	27
PID 1444 wrote to memory of 1092	1444	wscript.exe	28
PID 1092 wrote to memory of 1972	1092	wscript.exe	29
PID 1972 wrote to memory of 796	1972	wscript.exe	30
PID 796 wrote to memory of 2020	796	wscript.exe	31
PID 2020 wrote to memory of 2008	2020	wscript.exe	32
PID 2008 wrote to memory of 1200	2008	wscript.exe	33
PID 1200 wrote to memory of 1104	1200	wscript.exe	34
PID 1104 wrote to memory of 1980	1104	wscript.exe	35
PID 1980 wrote to memory of 1992	1980	wscript.exe	36
PID 1992 wrote to memory of 280	1992	wscript.exe	37
PID 280 wrote to memory of 1936	280	wscript.exe	38
PID 1936 wrote to memory of 1168	1936	wscript.exe	39
PID 1168 wrote to memory of 1712	1168	wscript.exe	40
PID 1712 wrote to memory of 276	1712	wscript.exe	41
PID 276 wrote to memory of 556	276	wscript.exe	42
PID 556 wrote to memory of 1904	556	wscript.exe	43
PID 1904 wrote to memory of 840	1904	wscript.exe	44
PID 840 wrote to memory of 1332	840	wscript.exe	45
PID 1332 wrote to memory of 1960	1332	wscript.exe	46
PID 1960 wrote to memory of 2016	1960	wscript.exe	47
PID 2016 wrote to memory of 2012	2016	wscript.exe	48
PID 2012 wrote to memory of 1204	2012	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/276-16-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/280-12-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/556-17-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/796-5-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download
memory/840-19-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download
memory/1092-3-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/1104-9-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download
memory/1168-14-0x0000000002A30000-0x0000000002A34000-memory.dmp

Filesize
16KB

Download
memory/1200-8-0x0000000002990000-0x0000000002994000-memory.dmp

Filesize
16KB

Download
memory/1332-20-0x0000000002A10000-0x0000000002A14000-memory.dmp

Filesize
16KB

Download
memory/1388-1-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/1444-2-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/1712-15-0x0000000002AC0000-0x0000000002AC4000-memory.dmp

Filesize
16KB

Download
memory/1904-18-0x0000000002900000-0x0000000002904000-memory.dmp

Filesize
16KB

Download
memory/1936-13-0x0000000002A30000-0x0000000002A34000-memory.dmp

Filesize
16KB

Download
memory/1960-21-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/1972-4-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download
memory/1980-10-0x0000000002900000-0x0000000002904000-memory.dmp

Filesize
16KB

Download
memory/1992-11-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/2008-7-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/2012-23-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/2016-22-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/2020-6-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/2044-0-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads