3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.11
Sample

191122-wmwdtp9drn
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1108	1760	WScript.exe	26
PID 1108 wrote to memory of 1088	1108	wscript.exe	27
PID 1088 wrote to memory of 656	1088	wscript.exe	28
PID 656 wrote to memory of 1488	656	wscript.exe	29
PID 1488 wrote to memory of 1960	1488	wscript.exe	30
PID 1960 wrote to memory of 1820	1960	wscript.exe	31
PID 1820 wrote to memory of 1132	1820	wscript.exe	32
PID 1132 wrote to memory of 1072	1132	wscript.exe	33
PID 1072 wrote to memory of 936	1072	wscript.exe	34
PID 936 wrote to memory of 820	936	wscript.exe	35
PID 820 wrote to memory of 1968	820	wscript.exe	36
PID 1968 wrote to memory of 1884	1968	wscript.exe	37
PID 1884 wrote to memory of 2000	1884	wscript.exe	38
PID 2000 wrote to memory of 1268	2000	wscript.exe	39
PID 1268 wrote to memory of 1340	1268	wscript.exe	40
PID 1340 wrote to memory of 2040	1340	wscript.exe	41
PID 2040 wrote to memory of 1136	2040	wscript.exe	42
PID 1136 wrote to memory of 2028	1136	wscript.exe	43
PID 2028 wrote to memory of 1820	2028	wscript.exe	44
PID 1820 wrote to memory of 1988	1820	wscript.exe	45
PID 1988 wrote to memory of 1508	1988	wscript.exe	46
PID 1508 wrote to memory of 1980	1508	wscript.exe	47
PID 1980 wrote to memory of 1552	1980	wscript.exe	48
PID 1552 wrote to memory of 1852	1552	wscript.exe	49

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-3-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download
memory/936-8-0x0000000002A10000-0x0000000002A14000-memory.dmp

Filesize
16KB

Download
memory/1072-7-0x0000000002A60000-0x0000000002A64000-memory.dmp

Filesize
16KB

Download
memory/1088-2-0x0000000002770000-0x0000000002774000-memory.dmp

Filesize
16KB

Download
memory/1108-1-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1132-6-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download
memory/1136-15-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1268-12-0x00000000029F0000-0x00000000029F4000-memory.dmp

Filesize
16KB

Download
memory/1340-13-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/1488-4-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download
memory/1508-19-0x00000000027F0000-0x00000000027F4000-memory.dmp

Filesize
16KB

Download
memory/1552-21-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1760-0-0x00000000028D0000-0x00000000028D4000-memory.dmp

Filesize
16KB

Download
memory/1820-17-0x00000000029D0000-0x00000000029D4000-memory.dmp

Filesize
16KB

Download
memory/1884-10-0x00000000027C0000-0x00000000027C4000-memory.dmp

Filesize
16KB

Download
memory/1960-5-0x0000000002790000-0x0000000002794000-memory.dmp

Filesize
16KB

Download
memory/1968-9-0x00000000029F0000-0x00000000029F4000-memory.dmp

Filesize
16KB

Download
memory/1980-20-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/1988-18-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/2000-11-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/2028-16-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/2040-14-0x0000000002860000-0x0000000002864000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads