Analysis
-
max time kernel
149s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 18:31
Static task
static1
Behavioral task
behavioral1
Sample
2A12326F3BC0714BF663D300D40816AF39E9707698056.exe
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
General
-
Target
2A12326F3BC0714BF663D300D40816AF39E9707698056.exe
-
Size
144KB
-
MD5
ce9e2ad824abec4012ffe21ea8b2f66d
-
SHA1
fe617860049990a67b18950660e6276e3c7ee970
-
SHA256
2a12326f3bc0714bf663d300d40816af39e9707698056d82f3b5a5046c304566
-
SHA512
fbb16ebdd147f5f7e7937fe1d3bcc506914b7d742245a031d8831739608542df6415807b747aaab95a05cfc58724bec91b1f8720b0c2def5e66d3200cd16c74a
-
SSDEEP
768:xnnhlLxfF9oifeLc6WDK+w0kabRAUn1vh+vPqVOz7T2QbYtm6uROAhr:nlb9oIKWDK+w0ZbRhn1vh+v/T3Y46uD
Malware Config
Extracted
Family
erbium
C2
77.73.133.53
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4272 set thread context of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83 PID 4272 wrote to memory of 1248 4272 2A12326F3BC0714BF663D300D40816AF39E9707698056.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2A12326F3BC0714BF663D300D40816AF39E9707698056.exe"C:\Users\Admin\AppData\Local\Temp\2A12326F3BC0714BF663D300D40816AF39E9707698056.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:1248
-