1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-08-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe
Size

72KB
MD5

0a394ea5a6a326d2b8a0f7d6ba4bbd82
SHA1

c1e1ad4bab9727d1ff3a0788c51edc223f53f097
SHA256

1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393
SHA512

f7388719ada155e354434b57b438e20c23db44ddf3cf1b4552715d371aec3c5f834992c08eca63b58051472a92996b4d2bb51b1fa5a7671f6c33c731c20bb902
SSDEEP

768:7BcNSpIMgsDi8giO5KLC8MkGPXsADPGL69QKN/ZfdV1+nAZjEMzsyy:Fc4IuDdgN5TkGP8A7EUnhV+nAZjE4a

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1512 set thread context of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27
PID 1512 wrote to memory of 2016	1512	1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe	27

C:\Users\Admin\AppData\Local\Temp\1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe
"C:\Users\Admin\AppData\Local\Temp\1b82a0c989856a73ff5c46b1f578b8dadc94d40d265a5ef891313d6f73948393.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1512-54-0x0000000000900000-0x0000000000916000-memory.dmp

Filesize
88KB

Download
memory/2016-55-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download
memory/2016-56-0x0000000000080000-0x000000000008E000-memory.dmp

Filesize
56KB

Download