Analysis
-
max time kernel
131s -
max time network
153s -
resource
win10v191014
Task
task1
Sample
VBS_ed167804673b6f89dc6657e71ae971c4.5.zip
Resource
win7v191014
0 signatures
Task
task2
Sample
VBS_ed167804673b6f89dc6657e71ae971c4.5.zip
Resource
win10v191014
0 signatures
Task
task3
Sample
document4753.vbe.vbs
Resource
win7v191014
0 signatures
Task
task4
Sample
document4753.vbe.vbs
Resource
win10v191014
0 signatures
General
-
Target
VBS_ed167804673b6f89dc6657e71ae971c4.5
-
Sample
191122-n88djy4w9x
-
SHA256
3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321
Score
N/A
Malware Config
Signatures
-
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 4516 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4516 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 4516 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4516 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 4516 svchost.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4212 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4212 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4864 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4864 svchost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4944 wrote to memory of 5004 4944 WScript.exe 72 PID 5004 wrote to memory of 5084 5004 wscript.exe 73 PID 5084 wrote to memory of 1788 5084 wscript.exe 74 PID 1788 wrote to memory of 1804 1788 wscript.exe 75 PID 1804 wrote to memory of 3056 1804 wscript.exe 76 PID 3056 wrote to memory of 4080 3056 wscript.exe 77 PID 4080 wrote to memory of 3704 4080 wscript.exe 78 PID 3704 wrote to memory of 4528 3704 wscript.exe 79 PID 4528 wrote to memory of 4636 4528 wscript.exe 80 PID 4636 wrote to memory of 1544 4636 wscript.exe 81 PID 1544 wrote to memory of 4684 1544 wscript.exe 82 PID 4684 wrote to memory of 4328 4684 wscript.exe 84 PID 4328 wrote to memory of 4212 4328 wscript.exe 85 PID 4212 wrote to memory of 2940 4212 wscript.exe 86 PID 2940 wrote to memory of 4176 2940 wscript.exe 87 PID 4176 wrote to memory of 4112 4176 wscript.exe 88 PID 4112 wrote to memory of 2684 4112 wscript.exe 89 PID 2684 wrote to memory of 4908 2684 wscript.exe 90 PID 4908 wrote to memory of 4828 4908 wscript.exe 91 PID 4828 wrote to memory of 4596 4828 wscript.exe 92 PID 4596 wrote to memory of 4984 4596 wscript.exe 93 PID 4984 wrote to memory of 5076 4984 wscript.exe 94 PID 5060 wrote to memory of 5096 5060 SppExtComObj.exe 96 PID 5076 wrote to memory of 408 5076 wscript.exe 97 PID 408 wrote to memory of 4228 408 wscript.exe 98
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:4944
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-1⤵
- Suspicious use of WriteProcessMemory
PID:5004
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:5084
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1788
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1804
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:3056
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4080
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:3704
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4528
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4636
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:1544
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4684
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4328
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4212
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2940
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4176
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4112
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:2684
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4908
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4828
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4596
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:4984
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:5076
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5060
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5096
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵
- Suspicious use of WriteProcessMemory
PID:408
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-1⤵PID:4228
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:4516
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:3212
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4212
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:4100
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4864
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089