3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.17
Sample

191122-az4s71kl4j
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1104	1336	WScript.exe	27
PID 1104 wrote to memory of 1952	1104	wscript.exe	28
PID 1952 wrote to memory of 1308	1952	wscript.exe	29
PID 1308 wrote to memory of 740	1308	wscript.exe	30
PID 740 wrote to memory of 1804	740	wscript.exe	31
PID 1804 wrote to memory of 1108	1804	wscript.exe	32
PID 1108 wrote to memory of 736	1108	wscript.exe	33
PID 736 wrote to memory of 1948	736	wscript.exe	34
PID 1948 wrote to memory of 792	1948	wscript.exe	35
PID 792 wrote to memory of 1304	792	wscript.exe	36
PID 1304 wrote to memory of 2008	1304	wscript.exe	37
PID 2008 wrote to memory of 1080	2008	wscript.exe	38
PID 1080 wrote to memory of 1496	1080	wscript.exe	39
PID 1496 wrote to memory of 1256	1496	wscript.exe	40
PID 1256 wrote to memory of 1816	1256	wscript.exe	41
PID 1816 wrote to memory of 2012	1816	wscript.exe	42
PID 2012 wrote to memory of 1100	2012	wscript.exe	43
PID 1100 wrote to memory of 1372	1100	wscript.exe	44
PID 1372 wrote to memory of 1760	1372	wscript.exe	45
PID 1760 wrote to memory of 796	1760	wscript.exe	46
PID 796 wrote to memory of 2044	796	wscript.exe	47
PID 2044 wrote to memory of 1944	2044	wscript.exe	48
PID 1944 wrote to memory of 1264	1944	wscript.exe	49
PID 1264 wrote to memory of 1444	1264	wscript.exe	50

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-4-0x0000000002800000-0x0000000002804000-memory.dmp

Filesize
16KB

Download
memory/792-8-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/796-19-0x0000000002900000-0x0000000002904000-memory.dmp

Filesize
16KB

Download
memory/1080-11-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/1100-16-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1104-1-0x0000000002980000-0x0000000002984000-memory.dmp

Filesize
16KB

Download
memory/1108-6-0x00000000026F0000-0x00000000026F4000-memory.dmp

Filesize
16KB

Download
memory/1256-13-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/1264-21-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1304-9-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/1308-3-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/1336-0-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1372-17-0x0000000002A20000-0x0000000002A24000-memory.dmp

Filesize
16KB

Download
memory/1496-12-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1760-18-0x00000000028E0000-0x00000000028E4000-memory.dmp

Filesize
16KB

Download
memory/1804-5-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1816-14-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/1948-7-0x0000000002810000-0x0000000002814000-memory.dmp

Filesize
16KB

Download
memory/1952-2-0x0000000002810000-0x0000000002814000-memory.dmp

Filesize
16KB

Download
memory/2008-10-0x00000000028E0000-0x00000000028E4000-memory.dmp

Filesize
16KB

Download
memory/2012-15-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/2044-20-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads