1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e

Analysis

max time kernel
91s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2nd PO389733.exe
Size

351KB
MD5

e4df03f1fc29eb4fc32a0801b26ce6ed
SHA1

1c487bae47d8f81ab5b2f851ace41b3520e0e77e
SHA256

ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e
SHA512

f89812a4a5ed11d10c6880e34a2bd34a6f0f96b929fd1bcf3790227505c256abd17ea5f3411529aab9db0c850b3449adcb2399541c52cb3856ebc9800e15f179

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2nd PO389733.exe

pid	process
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe
2744	2nd PO389733.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2nd PO389733.exe

description pid process

Token: SeDebugPrivilege 2744 2nd PO389733.exe

description	pid	process
Token: SeDebugPrivilege	2744	2nd PO389733.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2nd PO389733.exe

description	pid	process	target process
PID 2744 wrote to memory of 2708	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 2708	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 2708	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 3180	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 3180	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 3180	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 5032	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 5032	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 5032	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 2284	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 2284	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 2284	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 1248	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 1248	2744	2nd PO389733.exe	vbc.exe
PID 2744 wrote to memory of 1248	2744	2nd PO389733.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2nd PO389733.exe
"C:\Users\Admin\AppData\Local\Temp\2nd PO389733.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:2708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:3180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-139-0x0000000000000000-mapping.dmp

Download
memory/2284-138-0x0000000000000000-mapping.dmp

Download
memory/2708-135-0x0000000000000000-mapping.dmp

Download
memory/2744-130-0x00000000007F0000-0x000000000084E000-memory.dmp

Filesize
376KB

Download
memory/2744-131-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/2744-132-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/2744-133-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/2744-134-0x0000000007650000-0x00000000076EC000-memory.dmp

Filesize
624KB

Download
memory/3180-136-0x0000000000000000-mapping.dmp

Download
memory/5032-137-0x0000000000000000-mapping.dmp

Download