Analysis
-
max time kernel
91s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2022 01:25
Static task
static1
Behavioral task
behavioral1
Sample
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe
Resource
win10v2004-20220901-en
General
-
Target
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe
-
Size
124KB
-
MD5
99f682f75994261bd769f11cd33820e7
-
SHA1
2d8f77e1aebc274f94c56626fe1a71514c01b439
-
SHA256
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f
-
SHA512
00ca067af16d76cd5e344065c3f6c223a5e35bf79b67759bfed26e1994bcbe36ca0ff0cfc10c4175659813a1501d8e5d9d64fbcaf98d92459ca052f15ff0f0db
-
SSDEEP
3072:x8Bwf9nPJ6+qVDRhIJTz7y1bJs6Httemsk3QnDPofdc:x8Snh2RIEJsKetudc
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exedescription pid process target process PID 5064 set thread context of 3512 5064 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe vbc.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2072 3512 WerFault.exe vbc.exe 3432 5064 WerFault.exe 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exedescription pid process target process PID 5064 wrote to memory of 3512 5064 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe vbc.exe PID 5064 wrote to memory of 3512 5064 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe vbc.exe PID 5064 wrote to memory of 3512 5064 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe vbc.exe PID 5064 wrote to memory of 3512 5064 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe vbc.exe PID 5064 wrote to memory of 3512 5064 84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe"C:\Users\Admin\AppData\Local\Temp\84374cb55c56fb530ef4f83f655ffeb7463e8c0452d7f13d57535d9e032e761f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3512 -ip 35121⤵