Analysis
-
max time kernel
136s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
Montants à justifier_DGFIP45921-2.vbs
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Montants à justifier_DGFIP45921-2.vbs
Resource
win10v2004-20240704-en
General
-
Target
Montants à justifier_DGFIP45921-2.vbs
-
Size
352KB
-
MD5
c465ada59596b24ce7ec12859f022d1f
-
SHA1
ce4d09b3a355ed0f5f88bcdc1fcdac749862b728
-
SHA256
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d
-
SHA512
b9563c08c2c76334d78e73b59e5a9450469e002030b28520231708e756185742bc96f115e887753a51512616e81e9a7f4a44d3314647c088c58bbe0f644b675f
-
SSDEEP
1536:jh2F+VOLE9uko/3o1v4c4g2EePv/qcwUNQX3vGcXaA+7/BzGdZQn2sk82SCGZjjI:jeV1CZpyM
Malware Config
Signatures
-
Drops file in System32 directory 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3028 powershell.exe 3028 powershell.exe 2532 powershell.exe 2532 powershell.exe 1040 powershell.exe 1040 powershell.exe 2128 powershell.exe 2128 powershell.exe 1460 powershell.exe 1460 powershell.exe 848 powershell.exe 848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3028 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 1460 powershell.exe Token: SeDebugPrivilege 848 powershell.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 2244 wrote to memory of 2604 2244 taskeng.exe WScript.exe PID 2244 wrote to memory of 2604 2244 taskeng.exe WScript.exe PID 2244 wrote to memory of 2604 2244 taskeng.exe WScript.exe PID 2604 wrote to memory of 3028 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 3028 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 3028 2604 WScript.exe powershell.exe PID 3028 wrote to memory of 2004 3028 powershell.exe wermgr.exe PID 3028 wrote to memory of 2004 3028 powershell.exe wermgr.exe PID 3028 wrote to memory of 2004 3028 powershell.exe wermgr.exe PID 2604 wrote to memory of 2532 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 2532 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 2532 2604 WScript.exe powershell.exe PID 2532 wrote to memory of 1152 2532 powershell.exe wermgr.exe PID 2532 wrote to memory of 1152 2532 powershell.exe wermgr.exe PID 2532 wrote to memory of 1152 2532 powershell.exe wermgr.exe PID 2604 wrote to memory of 1040 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 1040 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 1040 2604 WScript.exe powershell.exe PID 1040 wrote to memory of 2100 1040 powershell.exe wermgr.exe PID 1040 wrote to memory of 2100 1040 powershell.exe wermgr.exe PID 1040 wrote to memory of 2100 1040 powershell.exe wermgr.exe PID 2604 wrote to memory of 2128 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 2128 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 2128 2604 WScript.exe powershell.exe PID 2128 wrote to memory of 2224 2128 powershell.exe wermgr.exe PID 2128 wrote to memory of 2224 2128 powershell.exe wermgr.exe PID 2128 wrote to memory of 2224 2128 powershell.exe wermgr.exe PID 2604 wrote to memory of 1460 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 1460 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 1460 2604 WScript.exe powershell.exe PID 1460 wrote to memory of 2096 1460 powershell.exe wermgr.exe PID 1460 wrote to memory of 2096 1460 powershell.exe wermgr.exe PID 1460 wrote to memory of 2096 1460 powershell.exe wermgr.exe PID 2604 wrote to memory of 848 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 848 2604 WScript.exe powershell.exe PID 2604 wrote to memory of 848 2604 WScript.exe powershell.exe PID 848 wrote to memory of 928 848 powershell.exe wermgr.exe PID 848 wrote to memory of 928 848 powershell.exe wermgr.exe PID 848 wrote to memory of 928 848 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Montants à justifier_DGFIP45921-2.vbs"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {94508DEB-5B4F-4C97-8A4E-D93252C87668} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\asy3.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3028" "1244"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2532" "1240"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1040" "1248"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2128" "1244"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1460" "1244"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "848" "1248"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259527873.txtFilesize
1KB
MD5ccd048ed9e30d88d32140cb383408396
SHA16b7915d8a4e56223898864239f5a81a08ee8887e
SHA2560bc16af53b483430363c9b1a8822696293ab162b5ad060a1bbfa3931598a943d
SHA5127dd31d57d9ffa2060962f8f76ae027b99f0e2de85684602aa2f6b471265f826fda2179e55cf88dc8e4f53e39153e72d7690eeddf4daa0cafdf18980c27b68faa
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259543531.txtFilesize
1KB
MD52d1035545767b94823f5b24a440b64b5
SHA1563d66a57174c4126bc7ae7914fc8a6f0a8554aa
SHA2560f53ed6bf87c3b8bbb4d2306fca077cb2e0210ec1e038595b997ade265b16ad9
SHA512a339e1c5b70bd3d542434021e9b2af7e51dfab4e6c4b0e80e6b7b3b1063bff13c3e54a143a10c28e2d2a0c4d80dd2a0a8ca39abab00d8184b0c8ca6513d0ebfc
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259561431.txtFilesize
1KB
MD5d82137246ca155fe5b412296dc1375d6
SHA1ca8bf95afdbaab16f02cfc4c1c934134bbbda5f0
SHA256b556fbb50a9c60ea443547cc091199c21a800fb3d7d0ba424c3fddd071f53a5d
SHA512de3d60a03d176612d60998bc6d6ce5a0dfda77841a46bdf50774da6df61b8dead3b796134ceb6b24b69f87bc36eb1162e4b9eb94b43e2a71272938a5ee7eceaa
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259573380.txtFilesize
1KB
MD5c322d0b401cc4ec07f8583b34210d9c6
SHA10befbf3efb13b45edff5e189dddd64ac6e975d85
SHA256b9e72582cabc62266921ed3841cf398460a183758358fb0ed87a3ca867ca859f
SHA5123d5c5d44f92e3cf3697dc75995ce55233256ffd44ffce73448b6c28ee8cd4be260eeadbc3d6644011103f2570e859cda5c2b5f3865a658eb90f5b8db5f3e31aa
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259592185.txtFilesize
1KB
MD59fd99be1efbb5e37f0de4c7c1254a9ed
SHA1928e749439840bbe9b9ab9ec4b1423acff77a0e8
SHA2560d54a6ddd5e9c6273dabb5ae7be43d2bb57d317ffcc548a17845a3a082f07d2f
SHA5124e431f5988d9f4e0ce9145c6de0cc91a0a70d446e1278d533fb8b29e462da4e95fc30f70befd8ef53edc43b94c4c6588a887e67c97c4d8d7b1eba0263b8d1be8
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259605970.txtFilesize
1KB
MD594cec913d4a22658af81c6380169ec34
SHA10a39121204068fceb14f05605658838e614c5fbc
SHA256961b5b157e01ff91bfb86f12bdd84e7b22c7d47d92f1c72219aae85eb657739f
SHA512768f53e6b441e5552e4818c41ef0f81fc7b3955d71eb5a0385b6292bc4aeea11a2c239d4300b89a60b69b470b2b665825f2d2fff2ec0c898ef6b32f1908eee80
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD535f1d0ed0dd5b3c416e5090c6e758a4d
SHA1974a485c81fac889a6fa32e4a28c1ce9b6e416a8
SHA256773a930d69b3d4340ebc75556b642bff99e4c3379e2a7d3f5045a0f77f5be730
SHA512a6fd8ccd92562156d4b8aba1260a0103903364012253019cfa6783194956df28f213722e93879da74cc249f702e3f1bd5ac7fd3fcf9c276abfb68a7c0674ac1a
-
C:\Users\Admin\asy3.vbsFilesize
1KB
MD5ecd56d423345d25d32d6894da7ea9a41
SHA1fa194094d6f86b76b9ea51cbee26ea2bd93d8852
SHA25601d5fd9a203634b7d45a547cdf72a1edcd601340f37892c324b5f842b22c7b73
SHA512a6d4550a2bd57be7cd3b50754d2826a100a844553e2a4308366cdd442250989971635d3847add663ec307981e8566f9bd823dece00fac48d085f60336bf5d355
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2532-16-0x000000001B680000-0x000000001B962000-memory.dmpFilesize
2.9MB
-
memory/2532-17-0x0000000001E70000-0x0000000001E78000-memory.dmpFilesize
32KB
-
memory/3028-8-0x000000001BC40000-0x000000001BC4A000-memory.dmpFilesize
40KB
-
memory/3028-7-0x0000000002790000-0x0000000002798000-memory.dmpFilesize
32KB
-
memory/3028-6-0x000000001B4B0000-0x000000001B792000-memory.dmpFilesize
2.9MB