ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97

Analysis

max time kernel
185s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
Size

605KB
MD5

7a2faea482515e8751b5147ed5df3821
SHA1

9fe1dde50ef1dd314e9aa3c76ed565880881e073
SHA256

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97
SHA512

8a33c65f20fc63f28631b0b0fc39f7ec19ac1f1691df42856abd1adf379cefcce74412f54afb75c86e38ea38fc111ace4bc137225fecd9e8f8f71d36356e36cb
SSDEEP

12288:r1Ia5uiSC/HRZMOwm6QR2Q+4C17gLX7pzF/6nNWIRWTWTiCn:r3Em6aNq17m9zF/6N

Score

7^/10

persistence

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Flash Player Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe_Flash_Player.exe"	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe

description	pid	process	target process
PID 2000 wrote to memory of 1864	2000	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 2000 wrote to memory of 1864	2000	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 2000 wrote to memory of 1864	2000	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 2000 wrote to memory of 704	2000	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 2000 wrote to memory of 704	2000	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe
PID 2000 wrote to memory of 704	2000	ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe
"C:\Users\Admin\AppData\Local\Temp\ecd9d925c12e694c8abc30f785b00b4e6bf7718f33d08b2703c014fd4c06ec97.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-132-0x00007FF86EAF0000-0x00007FF86F526000-memory.dmp

Filesize
10.2MB

Download