3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

General

Target

VBS_ed167804673b6f89dc6657e71ae971c4.zip
Sample

191122-z6nzch9zsj
SHA256

3e605855ed4bbc789477d2feddce2781b56d195311e17f753fc65d709b1f2321

Score

N/A

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1456	876	WScript.exe	27
PID 1456 wrote to memory of 1780	1456	wscript.exe	28
PID 1780 wrote to memory of 2032	1780	wscript.exe	29
PID 2032 wrote to memory of 384	2032	wscript.exe	30
PID 384 wrote to memory of 896	384	wscript.exe	31
PID 896 wrote to memory of 1424	896	wscript.exe	32
PID 1424 wrote to memory of 1084	1424	wscript.exe	33
PID 1084 wrote to memory of 1968	1084	wscript.exe	34
PID 1968 wrote to memory of 1384	1968	wscript.exe	35
PID 1384 wrote to memory of 748	1384	wscript.exe	36
PID 748 wrote to memory of 1992	748	wscript.exe	37
PID 1992 wrote to memory of 1320	1992	wscript.exe	38
PID 1320 wrote to memory of 1472	1320	wscript.exe	39
PID 1472 wrote to memory of 1840	1472	wscript.exe	40
PID 1840 wrote to memory of 1944	1840	wscript.exe	41
PID 1944 wrote to memory of 1996	1944	wscript.exe	42
PID 1996 wrote to memory of 1832	1996	wscript.exe	43
PID 1832 wrote to memory of 676	1832	wscript.exe	44
PID 676 wrote to memory of 1844	676	wscript.exe	45
PID 1844 wrote to memory of 1268	1844	wscript.exe	46
PID 1268 wrote to memory of 1432	1268	wscript.exe	47
PID 1432 wrote to memory of 1996	1432	wscript.exe	48
PID 1996 wrote to memory of 2028	1996	wscript.exe	49
PID 2028 wrote to memory of 2004	2028	wscript.exe	50

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\document4753.vbe.vbs ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___- ___-
1⤵
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-4-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/676-16-0x00000000027E0000-0x00000000027E4000-memory.dmp

Filesize
16KB

Download
memory/876-0-0x00000000029D0000-0x00000000029D4000-memory.dmp

Filesize
16KB

Download
memory/896-5-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1084-7-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1268-18-0x0000000002A30000-0x0000000002A34000-memory.dmp

Filesize
16KB

Download
memory/1320-11-0x0000000002850000-0x0000000002854000-memory.dmp

Filesize
16KB

Download
memory/1384-9-0x0000000002A50000-0x0000000002A54000-memory.dmp

Filesize
16KB

Download
memory/1424-6-0x0000000002920000-0x0000000002924000-memory.dmp

Filesize
16KB

Download
memory/1432-19-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1456-1-0x00000000028C0000-0x00000000028C4000-memory.dmp

Filesize
16KB

Download
memory/1472-12-0x0000000002710000-0x0000000002714000-memory.dmp

Filesize
16KB

Download
memory/1780-2-0x0000000002A50000-0x0000000002A54000-memory.dmp

Filesize
16KB

Download
memory/1832-15-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download
memory/1840-13-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1844-17-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/1944-14-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/1968-8-0x0000000002950000-0x0000000002954000-memory.dmp

Filesize
16KB

Download
memory/1992-10-0x00000000028A0000-0x00000000028A4000-memory.dmp

Filesize
16KB

Download
memory/1996-20-0x0000000002AB0000-0x0000000002AB4000-memory.dmp

Filesize
16KB

Download
memory/2028-21-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/2032-3-0x0000000002820000-0x0000000002824000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads