01ee39dcccaa4c07c5f561e68557c3bf316809c82f156a99d03a5ed55e510e96

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16-11-2022 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

495KB
MD5

6ad201444bc392451ffdde0ac9c6249d
SHA1

789bf76655e304bc52698de43c553e902a494e1e
SHA256

01ee39dcccaa4c07c5f561e68557c3bf316809c82f156a99d03a5ed55e510e96
SHA512

c0c75b5476abf61f3986f54a2151e76632ad9ce7fcb844acbc9d19e47aa92397c4208bf62a85d2578b2991e8cb591c023a3c8550aa59f1ba401ff69b82fb8ad8
SSDEEP

12288:65z183Z0RwnuD9VHG5m6b+5rPuAaX5nKr3:sG0qm6orY5nM

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

C4Loader.exe

description pid process target process

PID 1436 set thread context of 1688 1436 C4Loader.exe vbc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1628 1436 WerFault.exe C4Loader.exe

description	pid	process	target process
PID 1436 set thread context of 1688	1436	C4Loader.exe	vbc.exe

pid	pid_target	process	target process
1628	1436	WerFault.exe	C4Loader.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

C4Loader.exe

description	pid	process	target process
PID 1436 wrote to memory of 1688	1436	C4Loader.exe	vbc.exe
PID 1436 wrote to memory of 1688	1436	C4Loader.exe	vbc.exe
PID 1436 wrote to memory of 1688	1436	C4Loader.exe	vbc.exe
PID 1436 wrote to memory of 1688	1436	C4Loader.exe	vbc.exe
PID 1436 wrote to memory of 1688	1436	C4Loader.exe	vbc.exe
PID 1436 wrote to memory of 1688	1436	C4Loader.exe	vbc.exe
PID 1436 wrote to memory of 1628	1436	C4Loader.exe	WerFault.exe
PID 1436 wrote to memory of 1628	1436	C4Loader.exe	WerFault.exe
PID 1436 wrote to memory of 1628	1436	C4Loader.exe	WerFault.exe
PID 1436 wrote to memory of 1628	1436	C4Loader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 52
2⤵
- Program crash
PID:1628

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-63-0x0000000000000000-mapping.dmp

Download
memory/1688-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1688-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1688-62-0x0000000000401159-mapping.dmp

Download