511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da

General

Target

vbc.exe
Size

238KB
MD5

8efc94a68d078ed67459403c868aa9f0
SHA1

64da6737b14dc11fb68fe4aef22981219ecbfd9f
SHA256

511f5c0a9946188ad3dbbb58c2e2e5564402d83dd77379a39c8a17c660a737da
SHA512

5fd1f0fb7113d11e5ee7921581da43a4b04c2afeecca9fbd623cae5ef2b19955cd456fd7ac230eeab344e12e6452b780f616b90a00ccc1f1606a443a54f5a9f6

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

744 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1320 568 WerFault.exe vbc.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1320 WerFault.exe
1320 WerFault.exe
1320 WerFault.exe
1320 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1320 WerFault.exe

pid	process
744	vbc.exe

pid	pid_target	process	target process
1320	568	WerFault.exe	vbc.exe

pid	process
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe
1320	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1320	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

vbc.exevbc.exe

description	pid	process	target process
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 744 wrote to memory of 568	744	vbc.exe	vbc.exe
PID 568 wrote to memory of 1320	568	vbc.exe	WerFault.exe
PID 568 wrote to memory of 1320	568	vbc.exe	WerFault.exe
PID 568 wrote to memory of 1320	568	vbc.exe	WerFault.exe
PID 568 wrote to memory of 1320	568	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 148
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsi1BCB.tmp\edjaxef.dll
MD5
91b963a246288264ddf484d3b69741a1

SHA1
15168c8dd766c2046f891e085e08fae5a368665d

SHA256
8477871a37fc72bdc5eaec5d690e67421209e6fbeb3b6d278044de3686df650c

SHA512
99fd9259be65abef388a7763cbd7b3de5252bcd3827a36bf970989a73e87b76c35cfab6bc6c035057b5e1a78f924585577ffb9f88500fc300ed727955de72652

Download Submit
memory/568-57-0x0000000000000000-mapping.dmp

Download
memory/568-58-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/568-62-0x00000000001C0000-0x00000000001DB000-memory.dmp

Filesize
108KB

Download
memory/744-55-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1320-67-0x0000000000000000-mapping.dmp

Download
memory/1320-69-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing