4f8d7a281594177b09abe8d9fdb7eab00c6d19466313486323222c6b22007e25

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131ed0b98ee2c1933efdad3de1b51aeb.exe
Size

600KB
MD5

131ed0b98ee2c1933efdad3de1b51aeb
SHA1

fcd38692f17e9435ed45ff833fb36d153edb7cc8
SHA256

4f8d7a281594177b09abe8d9fdb7eab00c6d19466313486323222c6b22007e25
SHA512

2dcaa624f8734e1c9c5061937c926196d04d39ed636a71c09ab80768cff28e0440e678f0e904dd876d484683410acd5da7cdb808fd689eebfda08c331fc335bc
SSDEEP

6144:rd5VDNwVBSS7Id4w5wLIoKhPBLXYpE4WfUnEkx6k1C14b2y:LVTScd48wUhhXYupu6k1CO

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3172	vbc.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-7-0x0000000000400000-0x0000000000473000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96

Program crash 1 IoCs

pid	pid_target	Process
4144	3172	WerFault.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96
PID 5080 wrote to memory of 3172	5080	131ed0b98ee2c1933efdad3de1b51aeb.exe	96

C:\Users\Admin\AppData\Local\Temp\131ed0b98ee2c1933efdad3de1b51aeb.exe
"C:\Users\Admin\AppData\Local\Temp\131ed0b98ee2c1933efdad3de1b51aeb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\vbc.exe
  C:\Users\Admin\AppData\Local\Temp\vbc.exe
  2⤵
  - Executes dropped EXE
  PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3172 -ip 3172
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 148
1⤵
- Program crash
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
65KB

MD5
76e025765b75d95165c5185e779da509

SHA1
8cec34b47d6b43bec9ffd81dfd376cd3768cb5f9

SHA256
cdad6a4dd314403ea68766116c7c86004cab25cc884fa8962639cdad8eada8e3

SHA512
563dd657d2ca7a4b8897537e5b55a4034198d0d134fb678335d520242750a40e0514a74aab0bce8ef06d38a11267f694bc0cc3256ffb0ca09c3468034a681ab7

Download Submit
memory/3172-7-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/5080-0-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/5080-1-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/5080-2-0x0000000001300000-0x0000000001310000-memory.dmp

Filesize
64KB

Download
memory/5080-10-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download