Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows10_x64 -
resource
win10 -
submitted
25-06-2020 05:23
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
vbc.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
vbc.exe
-
Size
453KB
-
MD5
be8ecf5fc8fc6564c01a30e872bbe4b9
-
SHA1
40a93953f8b744f41136f4728b77d936d9bab568
-
SHA256
7fc89c08916cfdbc1f950304f39fb0039437bf720a7dcf4e236636cb004caf9c
-
SHA512
039aea333e6e59aa8d7f020865ad660021027e041ed112fc7a8b8338db0fdfc695cc6c8d4f20047bbc30f45c8434a489f0a6db66d42536df93b51a0840bf1dab
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3852 RegSvcs.exe 3852 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
vbc.exedescription pid process target process PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe PID 4012 wrote to memory of 3852 4012 vbc.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 4012 set thread context of 3852 4012 vbc.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3852 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken