abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159

Analysis

max time kernel
46s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vbc.exe
Size

812KB
MD5

4f57c474b77a208ee4d212894b3512d2
SHA1

41d369bc50e40fc80054e215d3b2ff44be10c08e
SHA256

abbc3fed4f82fe9afe22de485ec621e13bb0890d633e9c57ba5ebb2fe66b7159
SHA512

0d7efaba27a0564ed224edc0fba642e93676d3c2c561a58887ca925870bc09eb1dda9b9617428247761386aff630ad052a832f698b054d434b82456e80707d25
SSDEEP

24576:0EXVZ9a++LeZLGjl66eaCku6e4XCi/EJq9:330LDJUaCG1wJq

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
1148	vbc.exe
568	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	vbc.exe
Token: SeDebugPrivilege	568	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 568	1148	vbc.exe	28
PID 1148 wrote to memory of 568	1148	vbc.exe	28
PID 1148 wrote to memory of 568	1148	vbc.exe	28
PID 1148 wrote to memory of 568	1148	vbc.exe	28
PID 1148 wrote to memory of 1060	1148	vbc.exe	30
PID 1148 wrote to memory of 1060	1148	vbc.exe	30
PID 1148 wrote to memory of 1060	1148	vbc.exe	30
PID 1148 wrote to memory of 1060	1148	vbc.exe	30
PID 1148 wrote to memory of 1392	1148	vbc.exe	32
PID 1148 wrote to memory of 1392	1148	vbc.exe	32
PID 1148 wrote to memory of 1392	1148	vbc.exe	32
PID 1148 wrote to memory of 1392	1148	vbc.exe	32
PID 1148 wrote to memory of 768	1148	vbc.exe	33
PID 1148 wrote to memory of 768	1148	vbc.exe	33
PID 1148 wrote to memory of 768	1148	vbc.exe	33
PID 1148 wrote to memory of 768	1148	vbc.exe	33
PID 1148 wrote to memory of 892	1148	vbc.exe	34
PID 1148 wrote to memory of 892	1148	vbc.exe	34
PID 1148 wrote to memory of 892	1148	vbc.exe	34
PID 1148 wrote to memory of 892	1148	vbc.exe	34
PID 1148 wrote to memory of 1500	1148	vbc.exe	35
PID 1148 wrote to memory of 1500	1148	vbc.exe	35
PID 1148 wrote to memory of 1500	1148	vbc.exe	35
PID 1148 wrote to memory of 1500	1148	vbc.exe	35
PID 1148 wrote to memory of 1144	1148	vbc.exe	36
PID 1148 wrote to memory of 1144	1148	vbc.exe	36
PID 1148 wrote to memory of 1144	1148	vbc.exe	36
PID 1148 wrote to memory of 1144	1148	vbc.exe	36

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\afVxDcSOLVQXKW.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\afVxDcSOLVQXKW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB45.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  PID:768
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  PID:892
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  "C:\Users\Admin\AppData\Local\Temp\vbc.exe"
  2⤵
  PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBB45.tmp

Filesize
1KB

MD5
2fea1e8073b2b22aaf53feafdf68f88a

SHA1
6d728cee7b30725433bba793605c6f94a1aded68

SHA256
f2ce03e0e3824cb892640307a5e7181bf7d835494997f716425a6bed76dac302

SHA512
477155b89e2386e3550608ad1817b4e7b2158ca38ffe647ded0d5591d91df97b0fea5f119a8615e456ee353615e7a31109a185767d1df00fdd4fd53aa1508cbe

Download Submit
memory/568-68-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/568-69-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/568-70-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/1148-54-0x0000000000340000-0x0000000000410000-memory.dmp

Filesize
832KB

Download
memory/1148-55-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1148-56-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/1148-57-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1148-58-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1148-59-0x0000000005830000-0x00000000058E0000-memory.dmp

Filesize
704KB

Download
memory/1148-67-0x00000000049D0000-0x0000000004A08000-memory.dmp

Filesize
224KB

Download