2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d

Analysis

max time kernel
84s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
Size

1.1MB
MD5

03ce9015af0ef971e98d2dba83a3afd6
SHA1

1cf9797ff0f5c61dbb7efa4c6ed3e5cd10bca40c
SHA256

2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d
SHA512

7bff23a60fe8d6535a796a2f31398d333ca7bd0be84ba19c7c5c96af6c067b11fec94a648fc80fa442f4c96e79ad6e62e308c2086ce894296f86ae9941d9316b
SSDEEP

24576:DYSY2O/D45coTCaQkN4NUlPDYI5Qqu7JFZvJY:USDO/mcoCaQSl7A/9

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2500	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	92
PID 4484 wrote to memory of 2500	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	92
PID 4484 wrote to memory of 2500	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	92
PID 4484 wrote to memory of 2108	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	93
PID 4484 wrote to memory of 2108	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	93
PID 4484 wrote to memory of 2108	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	93
PID 4484 wrote to memory of 4752	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	94
PID 4484 wrote to memory of 4752	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	94
PID 4484 wrote to memory of 4752	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	94
PID 4484 wrote to memory of 4232	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	95
PID 4484 wrote to memory of 4232	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	95
PID 4484 wrote to memory of 4232	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	95
PID 4484 wrote to memory of 4416	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	96
PID 4484 wrote to memory of 4416	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	96
PID 4484 wrote to memory of 4416	4484	2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe	96

C:\Users\Admin\AppData\Local\Temp\2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe
"C:\Users\Admin\AppData\Local\Temp\2fed0d020470afbcb42ea16cbedd103a50ccf86fa10f71252a8307de740c3b9d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-133-0x0000000000520000-0x0000000000648000-memory.dmp

Filesize
1.2MB

Download
memory/4484-134-0x0000000005530000-0x0000000005AD4000-memory.dmp

Filesize
5.6MB

Download
memory/4484-135-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/4484-136-0x00000000051B0000-0x00000000051BA000-memory.dmp

Filesize
40KB

Download
memory/4484-137-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/4484-138-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/4484-139-0x0000000006FC0000-0x000000000705C000-memory.dmp

Filesize
624KB

Download