af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9

General

Target

af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe
Size

636KB
MD5

ecb0c16d3841ac90be6c7088a4318796
SHA1

628afc91a2b250a8ec003c29e72522ceb2271172
SHA256

af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9
SHA512

58cb7005206dcad9afab7a0a0c5065cbff13ffe8d227c13ab0e3d485aa7366453339196419a546680dbb365b76636c0f1c1fd0002600e306d12cc57312d20696
SSDEEP

12288:woZB7TepbosaV5jTuQzA6VPSrAtQwbafJOMIXlpZVv7GCckZWu+KfsX36j96g:woZo7i5uQz9VPEfwbuJOMI19vqChZW3e

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1160	vbc.exe

Loads dropped DLL 1 IoCs

pid	Process
428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 428 set thread context of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28
PID 428 wrote to memory of 1160	428	af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe	28

C:\Users\Admin\AppData\Local\Temp\af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe
"C:\Users\Admin\AppData\Local\Temp\af03c3debd39ad7009d9c1f3f7c804479a5b3f45db7834da301185be946c36c9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:428
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/428-55-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/428-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/428-67-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/1160-66-0x0000000000260000-0x00000000002A7000-memory.dmp

Filesize
284KB

Download
memory/1160-73-0x00000000006F0000-0x0000000000737000-memory.dmp

Filesize
284KB

Download
memory/1160-62-0x00000000004013A8-mapping.dmp

Download
memory/1160-60-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1160-64-0x00000000001C0000-0x0000000000207000-memory.dmp

Filesize
284KB

Download
memory/1160-65-0x0000000000210000-0x0000000000257000-memory.dmp

Filesize
284KB

Download
memory/1160-58-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1160-57-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1160-68-0x00000000002B0000-0x00000000002F7000-memory.dmp

Filesize
284KB

Download
memory/1160-69-0x0000000000470000-0x00000000004B7000-memory.dmp

Filesize
284KB

Download
memory/1160-70-0x00000000004C0000-0x0000000000507000-memory.dmp

Filesize
284KB

Download
memory/1160-61-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1160-75-0x0000000000790000-0x00000000007D7000-memory.dmp

Filesize
284KB

Download
memory/1160-77-0x0000000000830000-0x0000000000877000-memory.dmp

Filesize
284KB

Download
memory/1160-79-0x00000000008D0000-0x0000000000917000-memory.dmp

Filesize
284KB

Download
memory/1160-78-0x0000000000880000-0x00000000008C7000-memory.dmp

Filesize
284KB

Download
memory/1160-81-0x0000000000970000-0x00000000009B7000-memory.dmp

Filesize
284KB

Download
memory/1160-80-0x0000000000920000-0x0000000000967000-memory.dmp

Filesize
284KB

Download
memory/1160-76-0x00000000007E0000-0x0000000000827000-memory.dmp

Filesize
284KB

Download
memory/1160-74-0x0000000000740000-0x0000000000787000-memory.dmp

Filesize
284KB

Download
memory/1160-72-0x0000000000560000-0x00000000005A7000-memory.dmp

Filesize
284KB

Download
memory/1160-71-0x0000000000510000-0x0000000000557000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing