399274b2f4aa63df4980510b9c9dc40bcc9fea80b99e252f10f55ff990903b65

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-02-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe
Size

138KB
MD5

9b2f4cd8c0828c11bf2520e8c2f0cb3a
SHA1

8ec75231333ba8ee54386184de5b2e0989101759
SHA256

399274b2f4aa63df4980510b9c9dc40bcc9fea80b99e252f10f55ff990903b65
SHA512

498a60c39582bbfd38b03586388ba29a295a193b4160318ca04c178df7113efbee4c61b45f57530c756c2f3ad19ef073f647615d021fc7020c702263b6037a6f
SSDEEP

3072:d4ECnTdGKWshMkLjOtng1v7hwCx3Xhf7az5yt5R:yEe8AhMkHXFvxnZ7G8

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2452	vbc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28
PID 1768 wrote to memory of 2452	1768	9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe	28

C:\Users\Admin\AppData\Local\Temp\9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe
"C:\Users\Admin\AppData\Local\Temp\9b2f4cd8c0828c11bf2520e8c2f0cb3a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-0-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-1-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-2-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/1768-6-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2452-9-0x0000000000420000-0x0000000000487000-memory.dmp

Filesize
412KB

Download
memory/2452-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download