a5d8eac92699a2e8870775b0eb150bb3fdedf4e86f6b0a26a122ad5f7e9fd3c2

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe
Size

119KB
MD5

d9a2313ebd1f9d41687e127028bc230e
SHA1

b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1
SHA256

a5d8eac92699a2e8870775b0eb150bb3fdedf4e86f6b0a26a122ad5f7e9fd3c2
SHA512

4ee00a77199e82d63967f9731a5dd101f2dcec52584337dff306c2d5b71dfa4d83ac473617da0b022d301f8878b5cd835b18a35603fbe9dd7682064dc30264be
SSDEEP

3072:EcJw0ADKnZ1bEGSzLu1XlEWb3MeUn3PAngc13Aa99sXcc:/W3IZ1bgQlExeUcN99sXcc

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29
PID 852 wrote to memory of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29
PID 852 wrote to memory of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29
PID 852 wrote to memory of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29
PID 852 wrote to memory of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29
PID 852 wrote to memory of 1172	852	b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe	29

C:\Users\Admin\AppData\Local\Temp\b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe
"C:\Users\Admin\AppData\Local\Temp\b3e4aa7167322e62d0ab56f0ba11c3adfef87eb1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1172-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1172-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download