Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
22-10-2021 18:41
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
vbc.exe
Resource
win10-en-20210920
General
-
Target
vbc.exe
-
Size
238KB
-
MD5
8efc94a68d078ed67459403c868aa9f0
-
SHA1
64da6737b14dc11fb68fe4aef22981219ecbfd9f
-
SHA256
511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
-
SHA512
5fd1f0fb7113d11e5ee7921581da43a4b04c2afeecca9fbd623cae5ef2b19955cd456fd7ac230eeab344e12e6452b780f616b90a00ccc1f1606a443a54f5a9f6
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid process 744 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1320 568 WerFault.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe 1320 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1320 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
vbc.exevbc.exedescription pid process target process PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 744 wrote to memory of 568 744 vbc.exe vbc.exe PID 568 wrote to memory of 1320 568 vbc.exe WerFault.exe PID 568 wrote to memory of 1320 568 vbc.exe WerFault.exe PID 568 wrote to memory of 1320 568 vbc.exe WerFault.exe PID 568 wrote to memory of 1320 568 vbc.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 1483⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsi1BCB.tmp\edjaxef.dllMD5
91b963a246288264ddf484d3b69741a1
SHA115168c8dd766c2046f891e085e08fae5a368665d
SHA2568477871a37fc72bdc5eaec5d690e67421209e6fbeb3b6d278044de3686df650c
SHA51299fd9259be65abef388a7763cbd7b3de5252bcd3827a36bf970989a73e87b76c35cfab6bc6c035057b5e1a78f924585577ffb9f88500fc300ed727955de72652
-
memory/568-57-0x0000000000000000-mapping.dmp
-
memory/568-58-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/568-62-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/744-55-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1320-67-0x0000000000000000-mapping.dmp
-
memory/1320-69-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB