3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.11
Sample

191122-ep6h3neqqs
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1540	1124	WScript.exe	27
PID 1540 wrote to memory of 928	1540	wscript.exe	28
PID 928 wrote to memory of 760	928	wscript.exe	29
PID 760 wrote to memory of 1404	760	wscript.exe	30
PID 1404 wrote to memory of 2020	1404	wscript.exe	31
PID 2020 wrote to memory of 1204	2020	wscript.exe	32
PID 1204 wrote to memory of 1428	1204	wscript.exe	33
PID 1428 wrote to memory of 748	1428	wscript.exe	34
PID 748 wrote to memory of 460	748	wscript.exe	35
PID 460 wrote to memory of 2008	460	wscript.exe	36
PID 2008 wrote to memory of 1484	2008	wscript.exe	37
PID 1484 wrote to memory of 300	1484	wscript.exe	38
PID 300 wrote to memory of 756	300	wscript.exe	39
PID 756 wrote to memory of 2000	756	wscript.exe	40
PID 2000 wrote to memory of 1732	2000	wscript.exe	41
PID 1732 wrote to memory of 1940	1732	wscript.exe	42
PID 1940 wrote to memory of 1120	1940	wscript.exe	43
PID 1120 wrote to memory of 2004	1120	wscript.exe	44
PID 2004 wrote to memory of 1340	2004	wscript.exe	45
PID 1340 wrote to memory of 1948	1340	wscript.exe	46
PID 1948 wrote to memory of 620	1948	wscript.exe	47
PID 620 wrote to memory of 684	620	wscript.exe	48
PID 684 wrote to memory of 1972	684	wscript.exe	49
PID 1972 wrote to memory of 1144	1972	wscript.exe	50

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-12-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/460-9-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/620-21-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/684-22-0x0000000002940000-0x0000000002944000-memory.dmp

Filesize
16KB

Download
memory/748-8-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/756-13-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/760-3-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/928-2-0x00000000027D0000-0x00000000027D4000-memory.dmp

Filesize
16KB

Download
memory/1120-17-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/1124-0-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/1204-6-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1340-19-0x0000000002980000-0x0000000002984000-memory.dmp

Filesize
16KB

Download
memory/1404-4-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1428-7-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/1484-11-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/1540-1-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download
memory/1732-15-0x00000000027D0000-0x00000000027D4000-memory.dmp

Filesize
16KB

Download
memory/1940-16-0x00000000026D0000-0x00000000026D4000-memory.dmp

Filesize
16KB

Download
memory/1948-20-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/2000-14-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/2004-18-0x0000000002880000-0x0000000002884000-memory.dmp

Filesize
16KB

Download
memory/2008-10-0x0000000002870000-0x0000000002874000-memory.dmp

Filesize
16KB

Download
memory/2020-5-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads