a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce

Analysis

max time kernel
302s
max time network
322s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19/10/2022, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
Size

2.4MB
MD5

9e7ea9b64b79efe2cbfddc73d885a42f
SHA1

93414df1a44175703342e200b56822b1ee1d2bf5
SHA256

a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce
SHA512

12d60eb613ee7a9d13582db1859754231a87ecc2792297cf661adf3c8d42e9e8d29b57294b8a79e6fa30e4470d036e65a63ff75c59cf565fed56b71c982aafd2
SSDEEP

24576:BQQDQWrQDbwMxSPlFY6YKNz/bJMSOX00dr90iAJZf/j34Pkw7VceLYewl3RuQ55Z:BRDQzxSPJ9Z/D4Pb7VceCl3

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 100164	2716	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	67

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2420	powershell.exe
2420	powershell.exe
2420	powershell.exe
2496	powershell.exe
2496	powershell.exe
2496	powershell.exe
6244	powershell.exe
6244	powershell.exe
6244	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	100164	vbc.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	6244	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 100164	2716	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	67
PID 2716 wrote to memory of 100164	2716	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	67
PID 2716 wrote to memory of 100164	2716	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	67
PID 2716 wrote to memory of 100164	2716	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	67
PID 2716 wrote to memory of 100164	2716	a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe	67
PID 100164 wrote to memory of 2096	100164	vbc.exe	68
PID 100164 wrote to memory of 2096	100164	vbc.exe	68
PID 100164 wrote to memory of 2096	100164	vbc.exe	68
PID 2096 wrote to memory of 4912	2096	cmd.exe	70
PID 2096 wrote to memory of 4912	2096	cmd.exe	70
PID 2096 wrote to memory of 4912	2096	cmd.exe	70
PID 2096 wrote to memory of 2420	2096	cmd.exe	71
PID 2096 wrote to memory of 2420	2096	cmd.exe	71
PID 2096 wrote to memory of 2420	2096	cmd.exe	71
PID 2096 wrote to memory of 2496	2096	cmd.exe	72
PID 2096 wrote to memory of 2496	2096	cmd.exe	72
PID 2096 wrote to memory of 2496	2096	cmd.exe	72
PID 2096 wrote to memory of 6244	2096	cmd.exe	73
PID 2096 wrote to memory of 6244	2096	cmd.exe	73
PID 2096 wrote to memory of 6244	2096	cmd.exe	73

C:\Users\Admin\AppData\Local\Temp\a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe
"C:\Users\Admin\AppData\Local\Temp\a579314b0ba0cae034d12e569485440070508881780ec6b1820f2e61ba222cce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:100164
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:4912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d961c4d5ee47f5fda37953d4ac5f5537

SHA1
f1e7ec4c533c170a1d549be247ddc759f7fbbd83

SHA256
8611bda12beae77d77bb73625d913987f63733d158b7ea887690f824012ed053

SHA512
fcc34c7e289bbe1974b6a91c300d59cc79eb14b688477cf58669c400ca5a98016fa471584eaaec6eaf41091d05a18e892fc4cd8f47610167b1fe76f6d281432a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30f42c003cbb1837a6ba1d3217429738

SHA1
9adf8f74fab5f6492344dec0132318729d414e28

SHA256
df326fa2b9de3f51c931417f2da3ddedc912682db09df5673c5a51b93c4c7139

SHA512
0ee0f519f2e6eaf5589a109a651117eb2f193375baaebd1f49f09a920fa2726e5784d27066abdea37a560d3dcbee11007832b67970c5aa48c02e3796e9a484bc

Download Submit
memory/2420-292-0x0000000007DB0000-0x0000000007E26000-memory.dmp

Filesize
472KB

Download
memory/2420-305-0x0000000008EB0000-0x0000000008EE3000-memory.dmp

Filesize
204KB

Download
memory/2420-271-0x00000000076D0000-0x0000000007A20000-memory.dmp

Filesize
3.3MB

Download
memory/2420-286-0x0000000007B20000-0x0000000007B3C000-memory.dmp

Filesize
112KB

Download
memory/2420-288-0x0000000008040000-0x000000000808B000-memory.dmp

Filesize
300KB

Download
memory/2420-266-0x0000000006D20000-0x0000000006D42000-memory.dmp

Filesize
136KB

Download
memory/2420-248-0x0000000006EC0000-0x00000000074E8000-memory.dmp

Filesize
6.2MB

Download
memory/2420-267-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/2420-306-0x0000000008C70000-0x0000000008C8E000-memory.dmp

Filesize
120KB

Download
memory/2420-315-0x0000000008EF0000-0x0000000008F95000-memory.dmp

Filesize
660KB

Download
memory/2420-319-0x0000000009190000-0x0000000009224000-memory.dmp

Filesize
592KB

Download
memory/2420-522-0x00000000074F0000-0x000000000750A000-memory.dmp

Filesize
104KB

Download
memory/2420-527-0x0000000006DA0000-0x0000000006DA8000-memory.dmp

Filesize
32KB

Download
memory/2420-243-0x0000000004210000-0x0000000004246000-memory.dmp

Filesize
216KB

Download
memory/2716-120-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-125-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-115-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-130-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-129-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-128-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-127-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-126-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-124-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-116-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-123-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-122-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-121-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-119-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-118-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/2716-117-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-156-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-179-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-154-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-155-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-152-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-157-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-158-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-159-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-160-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-161-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-162-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-163-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-165-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-166-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-168-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-169-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-170-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-171-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-172-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-173-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-174-0x0000000009B40000-0x000000000A03E000-memory.dmp

Filesize
5.0MB

Download
memory/100164-175-0x0000000009640000-0x00000000096D2000-memory.dmp

Filesize
584KB

Download
memory/100164-176-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-177-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-178-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-153-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-180-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-151-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-150-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-149-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-148-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-147-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-146-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-145-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-144-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-143-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-142-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-138-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-141-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-140-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-139-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-137-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-131-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/100164-181-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-182-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-183-0x0000000077AD0000-0x0000000077C5E000-memory.dmp

Filesize
1.6MB

Download
memory/100164-191-0x00000000095D0000-0x00000000095DA000-memory.dmp

Filesize
40KB

Download
memory/100164-192-0x0000000009840000-0x00000000098A6000-memory.dmp

Filesize
408KB

Download