3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe
Size

1.9MB
MD5

3fd3a5baf7672d10cc88b3bf9f7c9c34
SHA1

2200831ca36c593ac1ab41d12a73ee879185b196
SHA256

3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786
SHA512

fabc2b8c84d6ecaaad118f7ad3178ce789b005b103d96f4489f28e25f03bf27433d9a89b022ff04e65a960b04fc552eaa3794db646bb8ced851859d7cd6a186b
SSDEEP

24576:p7mDJX49Dz+Hj77A0nygsz1bOR7bIK9PtoX9H8LRCef9g9j3:p/9Dz+HLtnMIR7/tdHi

Score

7^/10

spyware

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 888	2796	3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe	90

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe
888	vbc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 888	2796	3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe	90
PID 2796 wrote to memory of 888	2796	3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe	90
PID 2796 wrote to memory of 888	2796	3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe	90
PID 2796 wrote to memory of 888	2796	3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe	90
PID 2796 wrote to memory of 888	2796	3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe	90

C:\Users\Admin\AppData\Local\Temp\3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3c21b05bcaa6c46f2ace60ecfad5966ba7079fea0ddd02f2037c016b53322786_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-2-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/888-9-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2796-0-0x0000000000C10000-0x0000000000E52000-memory.dmp

Filesize
2.3MB

Download
memory/2796-1-0x0000000000C10000-0x0000000000E52000-memory.dmp

Filesize
2.3MB

Download
memory/2796-8-0x0000000000C10000-0x0000000000E52000-memory.dmp

Filesize
2.3MB

Download