ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3

General

Target

VBS_ae2d789d5592459429702cd490a2bf16.14
Sample

191122-7jpbbscq92
SHA256

ec1c88877b2cc43eb60442e94c46c2e1e100582251e9a545a0ba9df1d5692fa3

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1236	1124	WScript.exe	26
PID 1236 wrote to memory of 880	1236	wscript.exe	27
PID 880 wrote to memory of 1988	880	wscript.exe	28
PID 1988 wrote to memory of 1964	1988	wscript.exe	29
PID 1964 wrote to memory of 1916	1964	wscript.exe	30
PID 1916 wrote to memory of 1852	1916	wscript.exe	31
PID 1852 wrote to memory of 2008	1852	wscript.exe	32
PID 2008 wrote to memory of 1452	2008	wscript.exe	33
PID 1452 wrote to memory of 836	1452	wscript.exe	34
PID 836 wrote to memory of 1912	836	wscript.exe	35
PID 1912 wrote to memory of 1860	1912	wscript.exe	36
PID 1860 wrote to memory of 2036	1860	wscript.exe	37
PID 2036 wrote to memory of 792	2036	wscript.exe	38
PID 792 wrote to memory of 1508	792	wscript.exe	39
PID 1508 wrote to memory of 1984	1508	wscript.exe	40
PID 1984 wrote to memory of 2020	1984	wscript.exe	41
PID 2020 wrote to memory of 1108	2020	wscript.exe	42
PID 1108 wrote to memory of 2016	1108	wscript.exe	43
PID 2016 wrote to memory of 1612	2016	wscript.exe	44
PID 1612 wrote to memory of 2028	1612	wscript.exe	45
PID 2028 wrote to memory of 1384	2028	wscript.exe	46
PID 1384 wrote to memory of 1016	1384	wscript.exe	47
PID 1016 wrote to memory of 1128	1016	wscript.exe	48
PID 1128 wrote to memory of 1588	1128	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document7806.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-13-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/836-9-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/880-2-0x00000000029B0000-0x00000000029B4000-memory.dmp

Filesize
16KB

Download
memory/1016-22-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1108-17-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/1124-0-0x0000000002A20000-0x0000000002A24000-memory.dmp

Filesize
16KB

Download
memory/1128-23-0x0000000002810000-0x0000000002814000-memory.dmp

Filesize
16KB

Download
memory/1236-1-0x0000000002940000-0x0000000002944000-memory.dmp

Filesize
16KB

Download
memory/1384-21-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/1452-8-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1508-14-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1612-19-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/1852-6-0x0000000002890000-0x0000000002894000-memory.dmp

Filesize
16KB

Download
memory/1860-11-0x0000000002740000-0x0000000002744000-memory.dmp

Filesize
16KB

Download
memory/1912-10-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/1916-5-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/1964-4-0x0000000002960000-0x0000000002964000-memory.dmp

Filesize
16KB

Download
memory/1984-15-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1988-3-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/2008-7-0x0000000002970000-0x0000000002974000-memory.dmp

Filesize
16KB

Download
memory/2016-18-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/2020-16-0x0000000002760000-0x0000000002764000-memory.dmp

Filesize
16KB

Download
memory/2028-20-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/2036-12-0x0000000002700000-0x0000000002704000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads