abf4924189449f138e2c317801980bf678fcf41dc3439da1165b0e0bc0338b5e | Triage

Analysis

max time kernel
49s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06/09/2022, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

msvbvm80.dll
Size

112KB
MD5

047cb0a376094509219c9f56359f92b9
SHA1

b2eaec695dd8bb518c7e24c4f37a08344d6975be
SHA256

abf4924189449f138e2c317801980bf678fcf41dc3439da1165b0e0bc0338b5e
SHA512

b0141e20d2ab988daceca2a61001a1870c17347e9131bd8ac4e2b4c2676bcbeee8af2abe2b023c9c09916373b64a33a9ed33c19226af54445128af18541ae55f
SSDEEP

1536:YzujvFNGb79sxFCRW0H8sGNZtPNNGWi30wr0Ck01OrlTSwAp3H0qO:YzmQJUu7H8dNHz60wHfOrWH0X

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4988	powershell.exe
4988	powershell.exe
4988	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2796	4988	powershell.exe	68
PID 4988 wrote to memory of 2796	4988	powershell.exe	68
PID 2796 wrote to memory of 1368	2796	cmd.exe	70
PID 2796 wrote to memory of 1368	2796	cmd.exe	70
PID 2796 wrote to memory of 3356	2796	cmd.exe	71
PID 2796 wrote to memory of 3356	2796	cmd.exe	71

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvbvm80.dll,#1
1⤵
PID:3800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\regsvr32.exe
    regsvr32 msvbvm80.dll
    3⤵
    PID:1368
- - C:\Windows\system32\regsvr32.exe
    regsvr32 /s msvbvm80.dll
    3⤵
    PID:3356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4988-119-0x0000027669210000-0x0000027669232000-memory.dmp

Filesize
136KB

Download
memory/4988-138-0x00000276693A0000-0x00000276693DC000-memory.dmp

Filesize
240KB

Download
memory/4988-149-0x00000276698F0000-0x0000027669966000-memory.dmp

Filesize
472KB

Download