8ba3166fa29eedff427b62c2d1b05984949a1ac87a34ffa2ab95f4404e96d0e7

Analysis

Target

vbc.exe
Size

790KB
MD5

14f5bfcb44b9511f2cfac6f29ab55898
SHA1

f8dd1f7ec5259168dc98367c3eaa998f08b41a9d
SHA256

8ba3166fa29eedff427b62c2d1b05984949a1ac87a34ffa2ab95f4404e96d0e7
SHA512

0bd4db6d4f45a58b25445726956876d5546bcf73436b0b7c0411ef3d0e683fd91707551a146e775482399896ea6581caaa3d57d3e966a17a451315dcdf1f3b02

Score

7^/10

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1764 1668 WerFault.exe vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1668 vbc.exe

pid	pid_target	process	target process
1764	1668	WerFault.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1668	vbc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

vbc.exe

description	pid	process	target process
PID 1668 wrote to memory of 1764	1668	vbc.exe	WerFault.exe
PID 1668 wrote to memory of 1764	1668	vbc.exe	WerFault.exe
PID 1668 wrote to memory of 1764	1668	vbc.exe	WerFault.exe
PID 1668 wrote to memory of 1764	1668	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 544
  2⤵
  - Program crash
  PID:1764

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1668-54-0x0000000000C90000-0x0000000000D5C000-memory.dmp

Filesize
816KB

Download
memory/1764-55-0x0000000000000000-mapping.dmp

Download