b190c0b66428b594f7507ae98fcc45e1907cb9cdf618919002791241ae94280f

General

Target

tmp/vbc.exe
Size

1.4MB
MD5

3668f9be040098859e662ba94616cc51
SHA1

3b3ec4ac86c462747a2190c33ca2a4588fcc9310
SHA256

b190c0b66428b594f7507ae98fcc45e1907cb9cdf618919002791241ae94280f
SHA512

54fa8de69114af4fc8ccfa5ef11a82587d3b74b5fa80e6e8d1683e5ce997db5d6ffc1b133ebcf97c226c2aad928696198392faaf184486685f0aa2a048a43dd3

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1060 schtasks.exe
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

vbc.exepowershell.exe

pid process

944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
944 vbc.exe
428 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exepowershell.exe

description pid process

Token: SeDebugPrivilege 944 vbc.exe
Token: SeDebugPrivilege 428 powershell.exe

pid	process
1060	schtasks.exe

pid	process
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
944	vbc.exe
428	powershell.exe

description	pid	process
Token: SeDebugPrivilege	944	vbc.exe
Token: SeDebugPrivilege	428	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

vbc.exe

description	pid	process	target process
PID 944 wrote to memory of 428	944	vbc.exe	powershell.exe
PID 944 wrote to memory of 428	944	vbc.exe	powershell.exe
PID 944 wrote to memory of 428	944	vbc.exe	powershell.exe
PID 944 wrote to memory of 428	944	vbc.exe	powershell.exe
PID 944 wrote to memory of 1060	944	vbc.exe	schtasks.exe
PID 944 wrote to memory of 1060	944	vbc.exe	schtasks.exe
PID 944 wrote to memory of 1060	944	vbc.exe	schtasks.exe
PID 944 wrote to memory of 1060	944	vbc.exe	schtasks.exe
PID 944 wrote to memory of 1304	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1304	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1304	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1304	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 620	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 620	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 620	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 620	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 808	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 808	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 808	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 808	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1868	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1868	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1868	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1868	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1852	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1852	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1852	944	vbc.exe	vbc.exe
PID 944 wrote to memory of 1852	944	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SOEtXbQzHDdq.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SOEtXbQzHDdq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B09.tmp"
2⤵
- Creates scheduled task(s)
PID:1060

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\vbc.exe"
2⤵
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7B09.tmp
MD5
c90feb1871ab38e07093604dfa364f2d

SHA1
1b5672489fa0fdb20c75da7f5410b7f091b2a04e

SHA256
5f0b50fcfc5b11474353ea795d5a5a765cf94292f8aba6dd7f289a1e36ebc777

SHA512
977753da1733c54a3435fcd488b8e0fb91eff53b9ba33adabf8feb6411eb3c3d82db2ed12ec3fa337ee5c83241c1ba787e0a1a96977755066205cb723425055a

Download Submit
memory/428-57-0x0000000000000000-mapping.dmp

Download
memory/428-61-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/428-62-0x0000000000651000-0x0000000000652000-memory.dmp

Filesize
4KB

Download
memory/428-63-0x0000000000652000-0x0000000000654000-memory.dmp

Filesize
8KB

Download
memory/944-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/944-55-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/944-56-0x0000000000661000-0x0000000000662000-memory.dmp

Filesize
4KB

Download
memory/1060-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads