Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:44
Static task
static1
Behavioral task
behavioral1
Sample
ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
Resource
win10v2004-20221111-en
General
-
Target
ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
-
Size
605KB
-
MD5
7a2faea482515e8751b5147ed5df3821
-
SHA1
9fe1dde50ef1dd314e9aa3c76ed565880881e073
-
SHA256
ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97
-
SHA512
8a33c65f20fc63f28631b0b0fc39f7ec19ac1f1691df42856abd1adf379cefcce74412f54afb75c86e38ea38fc111ace4bc137225fecd9e8f8f71d36356e36cb
-
SSDEEP
12288:r1Ia5uiSC/HRZMOwm6QR2Q+4C17gLX7pzF/6nNWIRWTWTiCn:r3Em6aNq17m9zF/6N
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Player Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe_Flash_Player.exe" ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exedescription pid process target process PID 832 wrote to memory of 1256 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 1256 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 1256 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 1256 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 2012 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 2012 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 2012 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe PID 832 wrote to memory of 2012 832 ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe"C:\Users\Admin\AppData\Local\Temp\ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:1256
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵PID:2012