ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
Size

605KB
MD5

7a2faea482515e8751b5147ed5df3821
SHA1

9fe1dde50ef1dd314e9aa3c76ed565880881e073
SHA256

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97
SHA512

8a33c65f20fc63f28631b0b0fc39f7ec19ac1f1691df42856abd1adf379cefcce74412f54afb75c86e38ea38fc111ace4bc137225fecd9e8f8f71d36356e36cb
SSDEEP

12288:r1Ia5uiSC/HRZMOwm6QR2Q+4C17gLX7pzF/6nNWIRWTWTiCn:r3Em6aNq17m9zF/6N

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Player Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe_Flash_Player.exe"	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe

description	pid	process	target process
PID 832 wrote to memory of 1256	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 1256	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 1256	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 1256	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 2012	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 2012	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 2012	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 832 wrote to memory of 2012	832	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
"C:\Users\Admin\AppData\Local\Temp\ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
PID:1256

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
PID:2012

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/832-54-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmp

Filesize
10.1MB

Download
memory/832-55-0x000007FEEEC10000-0x000007FEEFCA6000-memory.dmp

Filesize
16.6MB

Download
memory/832-56-0x0000000000BB6000-0x0000000000BD5000-memory.dmp

Filesize
124KB

Download