ea33cbd89e89b2c4f93550567c73cc24db4d656b7f8a681321f06d23a6446ece

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe
Size

14.0MB
MD5

a71609fea0887e5261e10f323719ed19
SHA1

405e439c837a15ca67d8ccf7a810ffb097173af4
SHA256

59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff
SHA512

2f75a1ce40e63dfdd7612501795a017bd98362f87b43ffabc142b9e3ad99f159ff97fbf3cf63e204fbd7a2c83d5e4fcb6eb06df92ed266562051fa2d22359c61
SSDEEP

12288:Csxmdj2NtdggxR2FCLDNToj5taAtw6J4lmEDHJy1XiIopXQXZnOa33w6HVtIuClJ:HdhxR2FiNToj5IAH+y2a33w6EbjvxVC

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe

description	pid	Process	procid_target
PID 2248 set thread context of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid	Process
2200	vbc.exe
2200	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description	pid	Process
Token: SeDebugPrivilege	2200	vbc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe

description	pid	Process	procid_target
PID 2248 wrote to memory of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28
PID 2248 wrote to memory of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28
PID 2248 wrote to memory of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28
PID 2248 wrote to memory of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28
PID 2248 wrote to memory of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28
PID 2248 wrote to memory of 2200	2248	59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe	28

C:\Users\Admin\AppData\Local\Temp\59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe
"C:\Users\Admin\AppData\Local\Temp\59bd3b30ff0e9c2d1d335cb7cd8d305fa047e79cd0873b1a02936d9d999a35ff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-2-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-6-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2200-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-10-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2200-11-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-12-0x0000000000CB0000-0x0000000000CF0000-memory.dmp

Filesize
256KB

Download
memory/2200-13-0x0000000073E60000-0x000000007454E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-0-0x0000000000FC0000-0x000000000115D000-memory.dmp

Filesize
1.6MB

Download
memory/2248-9-0x0000000000FC0000-0x000000000115D000-memory.dmp

Filesize
1.6MB

Download