Analysis
-
max time kernel
91s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:44
Static task
static1
Behavioral task
behavioral1
Sample
2nd PO389733.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
2nd PO389733.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
PO389732.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
2nd PO389733.exe
-
Size
351KB
-
MD5
e4df03f1fc29eb4fc32a0801b26ce6ed
-
SHA1
1c487bae47d8f81ab5b2f851ace41b3520e0e77e
-
SHA256
ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e
-
SHA512
f89812a4a5ed11d10c6880e34a2bd34a6f0f96b929fd1bcf3790227505c256abd17ea5f3411529aab9db0c850b3449adcb2399541c52cb3856ebc9800e15f179
Score
7/10
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
2nd PO389733.exepid process 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe 2744 2nd PO389733.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2nd PO389733.exedescription pid process Token: SeDebugPrivilege 2744 2nd PO389733.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
2nd PO389733.exedescription pid process target process PID 2744 wrote to memory of 2708 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 2708 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 2708 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 3180 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 3180 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 3180 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 5032 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 5032 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 5032 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 2284 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 2284 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 2284 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 1248 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 1248 2744 2nd PO389733.exe vbc.exe PID 2744 wrote to memory of 1248 2744 2nd PO389733.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2nd PO389733.exe"C:\Users\Admin\AppData\Local\Temp\2nd PO389733.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1248-139-0x0000000000000000-mapping.dmp
-
memory/2284-138-0x0000000000000000-mapping.dmp
-
memory/2708-135-0x0000000000000000-mapping.dmp
-
memory/2744-130-0x00000000007F0000-0x000000000084E000-memory.dmpFilesize
376KB
-
memory/2744-131-0x0000000005790000-0x0000000005D34000-memory.dmpFilesize
5.6MB
-
memory/2744-132-0x00000000050E0000-0x0000000005172000-memory.dmpFilesize
584KB
-
memory/2744-133-0x00000000050A0000-0x00000000050AA000-memory.dmpFilesize
40KB
-
memory/2744-134-0x0000000007650000-0x00000000076EC000-memory.dmpFilesize
624KB
-
memory/3180-136-0x0000000000000000-mapping.dmp
-
memory/5032-137-0x0000000000000000-mapping.dmp