356c38de132ad392f3155f48d11f97efbd7892a04499aea67dab5a76e85cb68d

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
14-12-2021 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp/vbc.exe
Size

1.5MB
MD5

8e5e31f5dd73631eddc2cb57e0f48a9a
SHA1

13bd3cf85edef10be8b60c96334eda4f30eda0ba
SHA256

356c38de132ad392f3155f48d11f97efbd7892a04499aea67dab5a76e85cb68d
SHA512

43cf5099575d698ffbd13dc82aa76e2358629d52217cd9d019acfb52c87a29e1ef9750dee756d164787544c76cc68464b014e3f17b3236467952ef95215a94d1

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc.exe

pid process

1684 vbc.exe
1684 vbc.exe
1684 vbc.exe
1684 vbc.exe
1684 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1684 vbc.exe

pid	process
1684	vbc.exe
1684	vbc.exe
1684	vbc.exe
1684	vbc.exe
1684	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1684	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

vbc.exe

description	pid	process	target process
PID 1684 wrote to memory of 1240	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1240	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1240	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1240	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 640	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 640	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 640	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 640	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 548	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 548	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 548	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 548	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1664	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1664	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1664	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1664	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1660	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1660	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1660	1684	vbc.exe	vbc.exe
PID 1684 wrote to memory of 1660	1684	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1660

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1684-54-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1684-56-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download
memory/1684-57-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1684-58-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/1684-59-0x0000000008170000-0x00000000082E3000-memory.dmp

Filesize
1.4MB

Download