Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:32

General

  • Target

    malware/vbc.exe

  • Size

    231KB

  • MD5

    72b2e84c1aec86b5c955ff098d7fd8b7

  • SHA1

    20f9c563206eff907cfad0723988de58872bc93e

  • SHA256

    1b26f49cdc29c81ea4d8f5571349e835662bca7881608dce0d13e86798dd9ac4

  • SHA512

    e5d062f0b105332ffa06f3e13c5ecc0dd66fc58bb631f31bd85b4a60f138ff2e127550eec6dbd47cb644ea2def1aa1fcb473a4db2c36752946798998e2adadaa

  • SSDEEP

    6144:HNeZmGsX4gDALdTQQNUofXRkvlNEH/T2UfL:HNlGsXP0+QNUoINeq6

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\malware\vbc.exe
    "C:\Users\Admin\AppData\Local\Temp\malware\vbc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5060
    • C:\Users\Admin\AppData\Local\Temp\rywcikv.exe
      C:\Users\Admin\AppData\Local\Temp\rywcikv.exe C:\Users\Admin\AppData\Local\Temp\tmogtpc
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4132
      • C:\Users\Admin\AppData\Local\Temp\rywcikv.exe
        C:\Users\Admin\AppData\Local\Temp\rywcikv.exe C:\Users\Admin\AppData\Local\Temp\tmogtpc
        3⤵
          PID:2132
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 528
          3⤵
          • Program crash
          PID:1856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4132 -ip 4132
      1⤵
        PID:2324

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\hcwh42mnqly0g

        Filesize

        211KB

        MD5

        21f599b33d9f3a8ca3d08426d239734e

        SHA1

        5f210888f57e03d5b888487b3b8e0317c8d0541d

        SHA256

        3e9b6fdc2ef03d3ce4153f7afbb72ecec4ff6d7d0a01f2953b0288e479421adf

        SHA512

        24cc265cceb2ea7bd40c9be85fb788b4a3b5bf5300fc6507aac00097124c574ba2afb028f0485312575a92f3de70c25abeac4f879f833201997b1382ce3177ad

      • C:\Users\Admin\AppData\Local\Temp\rywcikv.exe

        Filesize

        4KB

        MD5

        1c8099bf75f0b18987ddfdde63e52d60

        SHA1

        d613404fd561ed3bcb44d1d9e949dc08bb7950ca

        SHA256

        d16719d16c1da558db23766d79a44613e3ca6519d2fc81a167b62d8e39ede0e3

        SHA512

        7bd7df1775ad0cf9d6be44019104ddde47180da262aabb1c900aa36727c73343c9f33a0e72f5bd119dba4f9937117faac47d0d2dddf1876da1ffb0f4136623c9

      • C:\Users\Admin\AppData\Local\Temp\tmogtpc

        Filesize

        4KB

        MD5

        a21c8cb7478d2c976f0e54115bcabad4

        SHA1

        e7474a6503e7d6720745264585ec2211d6ea0971

        SHA256

        9da18fd1aec201c5ea38fb6bccd95dfd0067b62703b002f00442edcd800e6c10

        SHA512

        0dd849ca1233fb31cbbb8c3ebcca56be9f37b74fe5af1a83bb2b33cf45d62adcee23e9caed0231b30da5e868d35395e2b399697404c9ddb06371e5ba9f2467f2

      • memory/4132-8-0x00000000004A0000-0x00000000004A2000-memory.dmp

        Filesize

        8KB