5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc

Analysis

Target

vbc.exe
Size

1.6MB
MD5

52da53b1c61bf409b32f845f3806479a
SHA1

4e4120c159b2ff506c8719332dc38298ac092659
SHA256

5897858ea935658dd34bc4ef2692d4694eea6be164a9d8566b55c769dae2c8bc
SHA512

3a1ffa7db0f5b90deccbf9f84033e19ed43f9d28006f40c2c8d1cbe7c337f6fd458c966bef0b29c8f1cde725d1e1abfecb65c00b5ae6f908dcb33ecb83c7dbca

Score

7^/10

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1536 1884 WerFault.exe vbc.exe

pid	pid_target	process	target process
1536	1884	WerFault.exe	vbc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

vbc.exe

description	pid	process	target process
PID 1884 wrote to memory of 1536	1884	vbc.exe	WerFault.exe
PID 1884 wrote to memory of 1536	1884	vbc.exe	WerFault.exe
PID 1884 wrote to memory of 1536	1884	vbc.exe	WerFault.exe
PID 1884 wrote to memory of 1536	1884	vbc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 584
2⤵
- Program crash
PID:1536

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1536-56-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x0000000000C90000-0x0000000000E32000-memory.dmp

Filesize
1.6MB

Download
memory/1884-55-0x0000000000AF0000-0x0000000000B6C000-memory.dmp

Filesize
496KB

Download