8f14202d038576081a716747d905248877b873edcec27a6406201d57b090ae8b

General

Target

vbc.exe
Size

441KB
MD5

35971270d5d0406535ba77fa74bf4f21
SHA1

2ae768c1dd51a1bbefa32f2f8b620490ec026aae
SHA256

8f14202d038576081a716747d905248877b873edcec27a6406201d57b090ae8b
SHA512

e4f164fbdca5636b60e7f015b3f39e46f7188fc7eadc0557a8cce88c3150f2de18f6eb7e51659c3b91b82a5ff8325e7067e7d2061d32f9bc8de31ba7814031cf

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1052 1932 WerFault.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

380 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

vbc.exeWerFault.exepowershell.exe

pid process

1932 vbc.exe
1052 WerFault.exe
1052 WerFault.exe
1052 WerFault.exe
1052 WerFault.exe
1052 WerFault.exe
1292 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exeWerFault.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1932 vbc.exe
Token: SeDebugPrivilege 1052 WerFault.exe
Token: SeDebugPrivilege 1292 powershell.exe

pid	pid_target	process	target process
1052	1932	WerFault.exe	vbc.exe

pid	process
380	schtasks.exe

pid	process
1932	vbc.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1052	WerFault.exe
1292	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	vbc.exe
Token: SeDebugPrivilege	1052	WerFault.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

vbc.exe

description	pid	process	target process
PID 1932 wrote to memory of 1292	1932	vbc.exe	powershell.exe
PID 1932 wrote to memory of 1292	1932	vbc.exe	powershell.exe
PID 1932 wrote to memory of 1292	1932	vbc.exe	powershell.exe
PID 1932 wrote to memory of 1292	1932	vbc.exe	powershell.exe
PID 1932 wrote to memory of 380	1932	vbc.exe	schtasks.exe
PID 1932 wrote to memory of 380	1932	vbc.exe	schtasks.exe
PID 1932 wrote to memory of 380	1932	vbc.exe	schtasks.exe
PID 1932 wrote to memory of 380	1932	vbc.exe	schtasks.exe
PID 1932 wrote to memory of 1052	1932	vbc.exe	WerFault.exe
PID 1932 wrote to memory of 1052	1932	vbc.exe	WerFault.exe
PID 1932 wrote to memory of 1052	1932	vbc.exe	WerFault.exe
PID 1932 wrote to memory of 1052	1932	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HWDkRuZX.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HWDkRuZX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp"
2⤵
- Creates scheduled task(s)
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1012
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA998.tmp
MD5
8cc7db85854acf4a7496fb3ef97bab22

SHA1
389b1a04aa7bca7870d6c9b2a526ed1d2201389f

SHA256
c996c51ec12bc58359a3f6f3f969bf39e7ab3484dc9dd4455ea45ede56162d49

SHA512
463ea9667bf4e06c53809b7fe775ad7a64a837e37ef1e0fe5ca8687f7376b0c903d0dfd65666ad88e666fb206719691a3fefb50d00bd358b515e98b3e52c8dff

Download Submit
memory/380-62-0x0000000000000000-mapping.dmp

Download
memory/1052-69-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1052-65-0x0000000000000000-mapping.dmp

Download
memory/1292-67-0x0000000002451000-0x0000000002452000-memory.dmp

Filesize
4KB

Download
memory/1292-61-0x0000000000000000-mapping.dmp

Download
memory/1292-66-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/1292-68-0x0000000002452000-0x0000000002454000-memory.dmp

Filesize
8KB

Download
memory/1932-60-0x00000000051B0000-0x0000000005208000-memory.dmp

Filesize
352KB

Download
memory/1932-59-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/1932-58-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/1932-55-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1932-57-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads