0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10

Analysis

max time kernel
35s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 11:44

Target

vbc(1).exe
Size

694KB
MD5

5113abb28878ff293661fc23685a48bf
SHA1

175aa3169fe7112cead1a550dd702c552bbe832c
SHA256

0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10
SHA512

c4e447cba8dafa4f9744e09a2bbd39b1c59025f1d2f5cf879f0fbae121779a56e42174580cfbd760c48e55a5c997cdec96d1189a4724ff4a6f06d3632dda780f
SSDEEP

12288:RIn+H+LD9IlljoZ9bQGhQwDZF4J40l+BrNGqWOl1u/OfzgYWvwddkydK4akFXRyy:RILOHjoDQGhHQ40loJGts42fz4YTkydp

Score

7^/10

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

vbc(1).exe

pid process

1348 vbc(1).exe
1348 vbc(1).exe
1348 vbc(1).exe
1348 vbc(1).exe
1348 vbc(1).exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc(1).exe

description pid process

Token: SeDebugPrivilege 1348 vbc(1).exe

description	pid	process
Token: SeDebugPrivilege	1348	vbc(1).exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

vbc(1).exe

description	pid	process	target process
PID 1348 wrote to memory of 1724	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1724	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1724	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1724	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 2032	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 2032	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 2032	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 2032	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1752	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1752	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1752	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1752	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 936	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 936	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 936	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 936	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1100	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1100	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1100	1348	vbc(1).exe	vbc.exe
PID 1348 wrote to memory of 1100	1348	vbc(1).exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\vbc(1).exe
"C:\Users\Admin\AppData\Local\Temp\vbc(1).exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1100

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1348-54-0x0000000001210000-0x00000000012C4000-memory.dmp

Filesize
720KB

Download
memory/1348-55-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download