3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.23
Sample

191122-n96x2y6d6j
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 620	1332	WScript.exe	26
PID 620 wrote to memory of 1740	620	wscript.exe	27
PID 1740 wrote to memory of 1260	1740	wscript.exe	28
PID 1260 wrote to memory of 2008	1260	wscript.exe	29
PID 2008 wrote to memory of 840	2008	wscript.exe	30
PID 840 wrote to memory of 1036	840	wscript.exe	31
PID 1036 wrote to memory of 1844	1036	wscript.exe	32
PID 1844 wrote to memory of 1436	1844	wscript.exe	33
PID 1436 wrote to memory of 1104	1436	wscript.exe	34
PID 1104 wrote to memory of 1968	1104	wscript.exe	35
PID 1968 wrote to memory of 1996	1968	wscript.exe	36
PID 1996 wrote to memory of 748	1996	wscript.exe	37
PID 748 wrote to memory of 1988	748	wscript.exe	38
PID 1988 wrote to memory of 1304	1988	wscript.exe	39
PID 1304 wrote to memory of 1120	1304	wscript.exe	40
PID 1120 wrote to memory of 1976	1120	wscript.exe	41
PID 1976 wrote to memory of 752	1976	wscript.exe	42
PID 752 wrote to memory of 1848	752	wscript.exe	43
PID 1848 wrote to memory of 1300	1848	wscript.exe	44
PID 1300 wrote to memory of 1116	1300	wscript.exe	45
PID 1116 wrote to memory of 1112	1116	wscript.exe	46
PID 1112 wrote to memory of 1972	1112	wscript.exe	47
PID 1972 wrote to memory of 2012	1972	wscript.exe	48
PID 2012 wrote to memory of 1292	2012	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-1-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/748-11-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/752-16-0x0000000002970000-0x0000000002974000-memory.dmp

Filesize
16KB

Download
memory/840-4-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1036-5-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download
memory/1104-8-0x0000000002970000-0x0000000002974000-memory.dmp

Filesize
16KB

Download
memory/1112-20-0x0000000002740000-0x0000000002744000-memory.dmp

Filesize
16KB

Download
memory/1116-19-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/1120-14-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1260-3-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/1300-18-0x0000000002AE0000-0x0000000002AE4000-memory.dmp

Filesize
16KB

Download
memory/1304-13-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/1332-0-0x00000000029D0000-0x00000000029D4000-memory.dmp

Filesize
16KB

Download
memory/1436-7-0x00000000028F0000-0x00000000028F4000-memory.dmp

Filesize
16KB

Download
memory/1740-2-0x0000000002940000-0x0000000002944000-memory.dmp

Filesize
16KB

Download
memory/1844-6-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/1848-17-0x00000000029E0000-0x00000000029E4000-memory.dmp

Filesize
16KB

Download
memory/1968-9-0x00000000027A0000-0x00000000027A4000-memory.dmp

Filesize
16KB

Download
memory/1972-21-0x00000000029C0000-0x00000000029C4000-memory.dmp

Filesize
16KB

Download
memory/1976-15-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1988-12-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1996-10-0x00000000029E0000-0x00000000029E4000-memory.dmp

Filesize
16KB

Download
memory/2012-22-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads