Analysis

  • max time kernel
    136s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 07:26

General

  • Target

    Montants à justifier_DGFIP45921-2.vbs

  • Size

    352KB

  • MD5

    c465ada59596b24ce7ec12859f022d1f

  • SHA1

    ce4d09b3a355ed0f5f88bcdc1fcdac749862b728

  • SHA256

    ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d

  • SHA512

    b9563c08c2c76334d78e73b59e5a9450469e002030b28520231708e756185742bc96f115e887753a51512616e81e9a7f4a44d3314647c088c58bbe0f644b675f

  • SSDEEP

    1536:jh2F+VOLE9uko/3o1v4c4g2EePv/qcwUNQX3vGcXaA+7/BzGdZQn2sk82SCGZjjI:jeV1CZpyM

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Montants à justifier_DGFIP45921-2.vbs"
    1⤵
      PID:2652
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {94508DEB-5B4F-4C97-8A4E-D93252C87668} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Admin\asy3.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "3028" "1244"
            4⤵
              PID:2004
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2532
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "2532" "1240"
              4⤵
                PID:1152
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1040
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "1040" "1248"
                4⤵
                  PID:2100
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2128
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "2128" "1244"
                  4⤵
                    PID:2224
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1460
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "1460" "1244"
                    4⤵
                      PID:2096
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:848
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "848" "1248"
                      4⤵
                        PID:928

                Network

                MITRE ATT&CK Matrix ATT&CK v13

                Discovery

                System Information Discovery

                1
                T1082

                Query Registry

                1
                T1012

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259527873.txt
                  Filesize

                  1KB

                  MD5

                  ccd048ed9e30d88d32140cb383408396

                  SHA1

                  6b7915d8a4e56223898864239f5a81a08ee8887e

                  SHA256

                  0bc16af53b483430363c9b1a8822696293ab162b5ad060a1bbfa3931598a943d

                  SHA512

                  7dd31d57d9ffa2060962f8f76ae027b99f0e2de85684602aa2f6b471265f826fda2179e55cf88dc8e4f53e39153e72d7690eeddf4daa0cafdf18980c27b68faa

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259543531.txt
                  Filesize

                  1KB

                  MD5

                  2d1035545767b94823f5b24a440b64b5

                  SHA1

                  563d66a57174c4126bc7ae7914fc8a6f0a8554aa

                  SHA256

                  0f53ed6bf87c3b8bbb4d2306fca077cb2e0210ec1e038595b997ade265b16ad9

                  SHA512

                  a339e1c5b70bd3d542434021e9b2af7e51dfab4e6c4b0e80e6b7b3b1063bff13c3e54a143a10c28e2d2a0c4d80dd2a0a8ca39abab00d8184b0c8ca6513d0ebfc

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259561431.txt
                  Filesize

                  1KB

                  MD5

                  d82137246ca155fe5b412296dc1375d6

                  SHA1

                  ca8bf95afdbaab16f02cfc4c1c934134bbbda5f0

                  SHA256

                  b556fbb50a9c60ea443547cc091199c21a800fb3d7d0ba424c3fddd071f53a5d

                  SHA512

                  de3d60a03d176612d60998bc6d6ce5a0dfda77841a46bdf50774da6df61b8dead3b796134ceb6b24b69f87bc36eb1162e4b9eb94b43e2a71272938a5ee7eceaa

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259573380.txt
                  Filesize

                  1KB

                  MD5

                  c322d0b401cc4ec07f8583b34210d9c6

                  SHA1

                  0befbf3efb13b45edff5e189dddd64ac6e975d85

                  SHA256

                  b9e72582cabc62266921ed3841cf398460a183758358fb0ed87a3ca867ca859f

                  SHA512

                  3d5c5d44f92e3cf3697dc75995ce55233256ffd44ffce73448b6c28ee8cd4be260eeadbc3d6644011103f2570e859cda5c2b5f3865a658eb90f5b8db5f3e31aa

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259592185.txt
                  Filesize

                  1KB

                  MD5

                  9fd99be1efbb5e37f0de4c7c1254a9ed

                  SHA1

                  928e749439840bbe9b9ab9ec4b1423acff77a0e8

                  SHA256

                  0d54a6ddd5e9c6273dabb5ae7be43d2bb57d317ffcc548a17845a3a082f07d2f

                  SHA512

                  4e431f5988d9f4e0ce9145c6de0cc91a0a70d446e1278d533fb8b29e462da4e95fc30f70befd8ef53edc43b94c4c6588a887e67c97c4d8d7b1eba0263b8d1be8

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259605970.txt
                  Filesize

                  1KB

                  MD5

                  94cec913d4a22658af81c6380169ec34

                  SHA1

                  0a39121204068fceb14f05605658838e614c5fbc

                  SHA256

                  961b5b157e01ff91bfb86f12bdd84e7b22c7d47d92f1c72219aae85eb657739f

                  SHA512

                  768f53e6b441e5552e4818c41ef0f81fc7b3955d71eb5a0385b6292bc4aeea11a2c239d4300b89a60b69b470b2b665825f2d2fff2ec0c898ef6b32f1908eee80

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                  Filesize

                  7KB

                  MD5

                  35f1d0ed0dd5b3c416e5090c6e758a4d

                  SHA1

                  974a485c81fac889a6fa32e4a28c1ce9b6e416a8

                  SHA256

                  773a930d69b3d4340ebc75556b642bff99e4c3379e2a7d3f5045a0f77f5be730

                  SHA512

                  a6fd8ccd92562156d4b8aba1260a0103903364012253019cfa6783194956df28f213722e93879da74cc249f702e3f1bd5ac7fd3fcf9c276abfb68a7c0674ac1a

                • C:\Users\Admin\asy3.vbs
                  Filesize

                  1KB

                  MD5

                  ecd56d423345d25d32d6894da7ea9a41

                  SHA1

                  fa194094d6f86b76b9ea51cbee26ea2bd93d8852

                  SHA256

                  01d5fd9a203634b7d45a547cdf72a1edcd601340f37892c324b5f842b22c7b73

                  SHA512

                  a6d4550a2bd57be7cd3b50754d2826a100a844553e2a4308366cdd442250989971635d3847add663ec307981e8566f9bd823dece00fac48d085f60336bf5d355

                • \??\PIPE\srvsvc
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                • memory/2532-16-0x000000001B680000-0x000000001B962000-memory.dmp
                  Filesize

                  2.9MB

                • memory/2532-17-0x0000000001E70000-0x0000000001E78000-memory.dmp
                  Filesize

                  32KB

                • memory/3028-8-0x000000001BC40000-0x000000001BC4A000-memory.dmp
                  Filesize

                  40KB

                • memory/3028-7-0x0000000002790000-0x0000000002798000-memory.dmp
                  Filesize

                  32KB

                • memory/3028-6-0x000000001B4B0000-0x000000001B792000-memory.dmp
                  Filesize

                  2.9MB