Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 11:53
Static task
static1
Behavioral task
behavioral1
Sample
tmp/vbc.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
tmp/vbc.exe
-
Size
1.5MB
-
MD5
8e5e31f5dd73631eddc2cb57e0f48a9a
-
SHA1
13bd3cf85edef10be8b60c96334eda4f30eda0ba
-
SHA256
356c38de132ad392f3155f48d11f97efbd7892a04499aea67dab5a76e85cb68d
-
SHA512
43cf5099575d698ffbd13dc82aa76e2358629d52217cd9d019acfb52c87a29e1ef9750dee756d164787544c76cc68464b014e3f17b3236467952ef95215a94d1
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
vbc.exepid process 1684 vbc.exe 1684 vbc.exe 1684 vbc.exe 1684 vbc.exe 1684 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1684 vbc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
vbc.exedescription pid process target process PID 1684 wrote to memory of 1240 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1240 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1240 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1240 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 640 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 640 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 640 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 640 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 548 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 548 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 548 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 548 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1664 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1664 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1664 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1664 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1660 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1660 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1660 1684 vbc.exe vbc.exe PID 1684 wrote to memory of 1660 1684 vbc.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"2⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"2⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"2⤵PID:548
-
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"2⤵PID:1664
-
C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"2⤵PID:1660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1684-54-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/1684-56-0x0000000076C61000-0x0000000076C63000-memory.dmpFilesize
8KB
-
memory/1684-57-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1684-58-0x00000000003D0000-0x00000000003D7000-memory.dmpFilesize
28KB
-
memory/1684-59-0x0000000008170000-0x00000000082E3000-memory.dmpFilesize
1.4MB