edd4c28b27289b8154d0cb6a487abef68f79087f554b02eace45e4ee8dd95325

General

Target

file.exe
Size

4.0MB
MD5

4879c56a17e0a0870e2b516b1c692509
SHA1

e4c12cc04b9405233628a71a8accf158e285aad6
SHA256

edd4c28b27289b8154d0cb6a487abef68f79087f554b02eace45e4ee8dd95325
SHA512

8aa8de09b36ec5c979a56f69b67cb95e8b7287078ad79ce5a3af8425e494dcfe3befb7e19270be29af982a2ab46fc32554a2561927b8164572f606e3a7310747
SSDEEP

98304:c6LMazMnUrV8xRyGguqPW7YBshTe5WepB:xHMUrVuyGgLPLBIKRpB

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

file.exe

pid	process
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe
2276	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 2276 file.exe

description	pid	process
Token: SeDebugPrivilege	2276	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exe

description	pid	process	target process
PID 2276 wrote to memory of 4848	2276	file.exe	jsc.exe
PID 2276 wrote to memory of 4848	2276	file.exe	jsc.exe
PID 2276 wrote to memory of 4848	2276	file.exe	jsc.exe
PID 2276 wrote to memory of 4736	2276	file.exe	dfsvc.exe
PID 2276 wrote to memory of 4736	2276	file.exe	dfsvc.exe
PID 2276 wrote to memory of 4912	2276	file.exe	csc.exe
PID 2276 wrote to memory of 4912	2276	file.exe	csc.exe
PID 2276 wrote to memory of 4804	2276	file.exe	cvtres.exe
PID 2276 wrote to memory of 4804	2276	file.exe	cvtres.exe
PID 2276 wrote to memory of 4920	2276	file.exe	Microsoft.Workflow.Compiler.exe
PID 2276 wrote to memory of 4920	2276	file.exe	Microsoft.Workflow.Compiler.exe
PID 2276 wrote to memory of 4844	2276	file.exe	aspnet_regiis.exe
PID 2276 wrote to memory of 4844	2276	file.exe	aspnet_regiis.exe
PID 2276 wrote to memory of 4928	2276	file.exe	CasPol.exe
PID 2276 wrote to memory of 4928	2276	file.exe	CasPol.exe
PID 2276 wrote to memory of 2860	2276	file.exe	AddInProcess.exe
PID 2276 wrote to memory of 2860	2276	file.exe	AddInProcess.exe
PID 2276 wrote to memory of 900	2276	file.exe	aspnet_regsql.exe
PID 2276 wrote to memory of 900	2276	file.exe	aspnet_regsql.exe
PID 2276 wrote to memory of 1288	2276	file.exe	DataSvcUtil.exe
PID 2276 wrote to memory of 1288	2276	file.exe	DataSvcUtil.exe
PID 2276 wrote to memory of 2832	2276	file.exe	MSBuild.exe
PID 2276 wrote to memory of 2832	2276	file.exe	MSBuild.exe
PID 2276 wrote to memory of 4200	2276	file.exe	AppLaunch.exe
PID 2276 wrote to memory of 4200	2276	file.exe	AppLaunch.exe
PID 2276 wrote to memory of 4896	2276	file.exe	ngen.exe
PID 2276 wrote to memory of 4896	2276	file.exe	ngen.exe
PID 2276 wrote to memory of 4504	2276	file.exe	ComSvcConfig.exe
PID 2276 wrote to memory of 4504	2276	file.exe	ComSvcConfig.exe
PID 2276 wrote to memory of 1056	2276	file.exe	SMSvcHost.exe
PID 2276 wrote to memory of 1056	2276	file.exe	SMSvcHost.exe
PID 2276 wrote to memory of 2980	2276	file.exe	aspnet_wp.exe
PID 2276 wrote to memory of 2980	2276	file.exe	aspnet_wp.exe
PID 2276 wrote to memory of 1552	2276	file.exe	AddInProcess32.exe
PID 2276 wrote to memory of 1552	2276	file.exe	AddInProcess32.exe
PID 2276 wrote to memory of 1552	2276	file.exe	AddInProcess32.exe
PID 2276 wrote to memory of 4396	2276	file.exe	RegAsm.exe
PID 2276 wrote to memory of 4396	2276	file.exe	RegAsm.exe
PID 2276 wrote to memory of 2416	2276	file.exe	aspnet_regbrowsers.exe
PID 2276 wrote to memory of 2416	2276	file.exe	aspnet_regbrowsers.exe
PID 2276 wrote to memory of 2756	2276	file.exe	aspnet_compiler.exe
PID 2276 wrote to memory of 2756	2276	file.exe	aspnet_compiler.exe
PID 2276 wrote to memory of 3080	2276	file.exe	EdmGen.exe
PID 2276 wrote to memory of 3080	2276	file.exe	EdmGen.exe
PID 2276 wrote to memory of 2128	2276	file.exe	ServiceModelReg.exe
PID 2276 wrote to memory of 2128	2276	file.exe	ServiceModelReg.exe
PID 2276 wrote to memory of 4604	2276	file.exe	AddInUtil.exe
PID 2276 wrote to memory of 4604	2276	file.exe	AddInUtil.exe
PID 2276 wrote to memory of 1540	2276	file.exe	RegSvcs.exe
PID 2276 wrote to memory of 1540	2276	file.exe	RegSvcs.exe
PID 2276 wrote to memory of 3576	2276	file.exe	ngentask.exe
PID 2276 wrote to memory of 3576	2276	file.exe	ngentask.exe
PID 2276 wrote to memory of 448	2276	file.exe	vbc.exe
PID 2276 wrote to memory of 448	2276	file.exe	vbc.exe
PID 2276 wrote to memory of 3392	2276	file.exe	aspnet_state.exe
PID 2276 wrote to memory of 3392	2276	file.exe	aspnet_state.exe
PID 2276 wrote to memory of 536	2276	file.exe	ilasm.exe
PID 2276 wrote to memory of 536	2276	file.exe	ilasm.exe
PID 2276 wrote to memory of 1900	2276	file.exe	mscorsvw.exe
PID 2276 wrote to memory of 1900	2276	file.exe	mscorsvw.exe
PID 2276 wrote to memory of 1904	2276	file.exe	WsatConfig.exe
PID 2276 wrote to memory of 1904	2276	file.exe	WsatConfig.exe
PID 2276 wrote to memory of 1792	2276	file.exe	InstallUtil.exe
PID 2276 wrote to memory of 1792	2276	file.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:4848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:4736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:4912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:4804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:4920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:4928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:2860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:1288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:2832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:4200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:4896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:4504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:1056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:2980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:1552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:4396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:2416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:3080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:2128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:4604

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:1540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:3576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
2⤵
PID:448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:3392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:1900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:1904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-132-0x000002228C590000-0x000002228C998000-memory.dmp

Filesize
4.0MB

Download
memory/2276-133-0x00007FF852980000-0x00007FF853441000-memory.dmp

Filesize
10.8MB

Download
memory/2276-134-0x00007FF852980000-0x00007FF853441000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing