b526ee0de0fac93563730dfd03d7c647f658db2ef54b327a2c8f85e7fab04755

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10-10-2023 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe
Size

1.9MB
MD5

b0f43da8d5e294f83d9acaeee4023888
SHA1

6f050ea88b1f005ebc8a09b385f609214c15d9d7
SHA256

fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105
SHA512

b33d2d3e7e38ea32b89d0573321e83090632ec81e684072f5d35f49295e21b1a7ca2d66a9af739f3b3228e78e3c7b8c143c0513371b49a137b4c17eab3aca60d
SSDEEP

24576:7LdoWOG0h0DlBtcuRvfxsSc/JgVkmw24kBMM0:2G0h0DdvzQgVkmY

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2764	2444	WerFault.exe	1

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1
PID 1148 wrote to memory of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1
PID 1148 wrote to memory of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1
PID 1148 wrote to memory of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1
PID 1148 wrote to memory of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1
PID 1148 wrote to memory of 2444	1148	fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe	1
PID 2444 wrote to memory of 2764	2444	vbc.exe	30
PID 2444 wrote to memory of 2764	2444	vbc.exe	30
PID 2444 wrote to memory of 2764	2444	vbc.exe	30
PID 2444 wrote to memory of 2764	2444	vbc.exe	30

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 740
  2⤵
  - Program crash
  PID:2764

C:\Users\Admin\AppData\Local\Temp\fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe
"C:\Users\Admin\AppData\Local\Temp\fa98feb0fc8ff8b25659427c063181b1d05600900959b0eb4f478a0688d7f105.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-11-0x0000000000E20000-0x0000000001055000-memory.dmp

Filesize
2.2MB

Download
memory/1148-1-0x0000000000E20000-0x0000000001055000-memory.dmp

Filesize
2.2MB

Download
memory/1148-0-0x0000000000E20000-0x0000000001055000-memory.dmp

Filesize
2.2MB

Download
memory/2444-10-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2444-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2444-3-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2444-2-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download