Analysis

  • max time kernel
    147s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    08-07-2024 09:02

General

  • Target

    ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs

  • Size

    352KB

  • MD5

    c465ada59596b24ce7ec12859f022d1f

  • SHA1

    ce4d09b3a355ed0f5f88bcdc1fcdac749862b728

  • SHA256

    ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d

  • SHA512

    b9563c08c2c76334d78e73b59e5a9450469e002030b28520231708e756185742bc96f115e887753a51512616e81e9a7f4a44d3314647c088c58bbe0f644b675f

  • SSDEEP

    1536:jh2F+VOLE9uko/3o1v4c4g2EePv/qcwUNQX3vGcXaA+7/BzGdZQn2sk82SCGZjjI:jeV1CZpyM

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs"
    1⤵
      PID:1648
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {AF9E3122-6734-4BA3-B916-E452C6D3F4CE} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Admin\asy3.vbs"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2288
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "2628" "1240"
            4⤵
              PID:2976
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1448
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1448" "1240"
              4⤵
                PID:1948
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2316
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "2316" "1240"
                4⤵
                  PID:1924
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1816
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "1816" "1136"
                  4⤵
                    PID:2556
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2068
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "2068" "1240"
                    4⤵
                      PID:2408
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2680
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "2680" "1240"
                      4⤵
                        PID:2988
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:108
                      • C:\Windows\system32\wermgr.exe
                        "C:\Windows\system32\wermgr.exe" "-outproc" "108" "1232"
                        4⤵
                          PID:1304
                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchTrace.mp4"
                    1⤵
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious behavior: GetForegroundWindowSpam
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:2144

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Discovery

                  System Information Discovery

                  1
                  T1082

                  Query Registry

                  1
                  T1012

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490813.txt
                    Filesize

                    1KB

                    MD5

                    5617600fbe45685d3657ae7ab377027d

                    SHA1

                    af5b0873cf46f04e7c4b63973947ced8d7ac75c8

                    SHA256

                    490b2707751c17726ed7a7cf05e676bc3ffdc16d0db5ea2d5035d6b6f3d75799

                    SHA512

                    3af120e2693ca9f288193ea91e2b5711faa3d9315dda31ea7915ff18b1abcce23a03ac35044d8d9aec1890023f8acf9c8bffcd9de1003be6341f0fee1d4eef57

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259506479.txt
                    Filesize

                    1KB

                    MD5

                    2b3a482a66e9bb3dd4b54798c4650b41

                    SHA1

                    408aaab69b8169bd0587f7bddfd34a396edcd12f

                    SHA256

                    253b799bd78eb65640d0a412ec8fd44771b5731fac99b305c1cc8570a5c0065e

                    SHA512

                    9c0fc5523b4caa6c14c173c75cbcd93eae96d191e33e168bd1431c21a7ddb466f0900a577d83a69173b30576e71640425f61e1a2a4fff4f14943c4747f6138c5

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259534987.txt
                    Filesize

                    1KB

                    MD5

                    3c338ec4d5dca6dd470095c2871c8609

                    SHA1

                    af9511323aebbb29e39c9669ac79a9ca3ff96780

                    SHA256

                    0aa40c53dcc1abdc15bd4649e8ae852ee785291edc66d8756bb34deb37f30990

                    SHA512

                    a48213349d96abd18925305867341596853797ea5e5cde7fc71d9ce0f0355c604978b88b65e07b3d811d06f69fdb8b6af59f1446a1a5a0bde563f17f4703f2b1

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538591.txt
                    Filesize

                    1KB

                    MD5

                    b49310fa4fc67f8003cba53cc2ba860c

                    SHA1

                    f61f50947a8011997f2c9986838b41cff5ae6eac

                    SHA256

                    a634e0883408c93b533c04a1fa199fc272bc7ccdd0decf76ca27a2809a664f6c

                    SHA512

                    5091c82c04d602805d4383c305dcd56c7076e6b52a3fe3eb3f3f974a5ee6b93e2450782ee092e9cb7fc5dbf7a434af9f501df54f133884a62c4a276b33e65520

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259554651.txt
                    Filesize

                    1KB

                    MD5

                    2160e9fa192931bb7b3bc445d6b3c0c9

                    SHA1

                    ab150e1a1ceee4839658e03303170e6a9b57ec06

                    SHA256

                    2b9782b05f366b07e4b1bedb538366588b2d7e2c350115e6f31f3872ac34514e

                    SHA512

                    a780884e93d1ef9b2cc8425f67a59c675594722901908d989f224c377e13cb59f3035a7f8264300c3c78c891d4546b614a75054260a07a156e3d987e635773ca

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259564799.txt
                    Filesize

                    1KB

                    MD5

                    44c59a3fa2b272ece4e432de5eb907ba

                    SHA1

                    16a4d8218afa8b4d42902aa9235d71d6b5875ba9

                    SHA256

                    64b5372cc203cf9e6e482a71d812adf4a12ff320d5bc1a9540d87064c2c9faae

                    SHA512

                    33008fd88f8d21423e249330a06d20bf2ea8f6c61f6ea387c46f4e791272bf0a0c0e7609f682ebb719443ce730bb163ec4ae20af269f4500c0b3bc0170305f54

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259582971.txt
                    Filesize

                    1KB

                    MD5

                    7fd5279a0b3df6cbfc24c191b8cfb074

                    SHA1

                    f39084897a352084586ec4caa41b74b15cf7309b

                    SHA256

                    d4eda2b355fdff8c9bd61cc20a771e8ff6ad7423fb6062fa5ee666c414ea5417

                    SHA512

                    9f5b1c070ae8d52018159524d588ba2693d4656c113f7d0d33ddb78bb2dc848191a57d4b8abe2deb64fb0840711c4c0bb3696345648221938b43c7c10f0b143b

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                    Filesize

                    7KB

                    MD5

                    ecf1a795872df4bc35a4f70e9cdad29e

                    SHA1

                    6905fe33e312ceac49a5c6f85216ea5049a973eb

                    SHA256

                    96294cd51b2a6d9b28fa3bac09af671e27240a6af1f4f43367fb29110721a939

                    SHA512

                    79ffd08247f2b14c0dc43b065b60bf1cf2c8125f4a33a1b16b464040d1d2a448710e279f6710d03a0a579101267b426497fbacd7ddd52f79530eabfcc7735545

                  • C:\Users\Admin\asy3.vbs
                    Filesize

                    1KB

                    MD5

                    ecd56d423345d25d32d6894da7ea9a41

                    SHA1

                    fa194094d6f86b76b9ea51cbee26ea2bd93d8852

                    SHA256

                    01d5fd9a203634b7d45a547cdf72a1edcd601340f37892c324b5f842b22c7b73

                    SHA512

                    a6d4550a2bd57be7cd3b50754d2826a100a844553e2a4308366cdd442250989971635d3847add663ec307981e8566f9bd823dece00fac48d085f60336bf5d355

                  • \??\PIPE\srvsvc
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  • memory/1448-16-0x000000001B4C0000-0x000000001B7A2000-memory.dmp
                    Filesize

                    2.9MB

                  • memory/1448-17-0x00000000027B0000-0x00000000027B8000-memory.dmp
                    Filesize

                    32KB

                  • memory/2144-43-0x000007FEF2230000-0x000007FEF2251000-memory.dmp
                    Filesize

                    132KB

                  • memory/2144-51-0x000007FEF1D50000-0x000007FEF1D80000-memory.dmp
                    Filesize

                    192KB

                  • memory/2144-36-0x000007FEF6E50000-0x000007FEF6E67000-memory.dmp
                    Filesize

                    92KB

                  • memory/2144-37-0x000007FEF6D20000-0x000007FEF6D31000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-39-0x000007FEF6C60000-0x000007FEF6C71000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-38-0x000007FEF6C80000-0x000007FEF6C9D000-memory.dmp
                    Filesize

                    116KB

                  • memory/2144-32-0x000007FEF5A80000-0x000007FEF5D36000-memory.dmp
                    Filesize

                    2.7MB

                  • memory/2144-40-0x000007FEF0600000-0x000007FEF080B000-memory.dmp
                    Filesize

                    2.0MB

                  • memory/2144-44-0x000007FEF2210000-0x000007FEF2228000-memory.dmp
                    Filesize

                    96KB

                  • memory/2144-46-0x000007FEF21D0000-0x000007FEF21E1000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-47-0x000007FEF21B0000-0x000007FEF21C1000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-45-0x000007FEF21F0000-0x000007FEF2201000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-33-0x000007FEFA840000-0x000007FEFA858000-memory.dmp
                    Filesize

                    96KB

                  • memory/2144-42-0x000007FEF2260000-0x000007FEF22A1000-memory.dmp
                    Filesize

                    260KB

                  • memory/2144-48-0x000007FEF2190000-0x000007FEF21AB000-memory.dmp
                    Filesize

                    108KB

                  • memory/2144-49-0x000007FEF2170000-0x000007FEF2181000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-50-0x000007FEF1D80000-0x000007FEF1D98000-memory.dmp
                    Filesize

                    96KB

                  • memory/2144-35-0x000007FEF7270000-0x000007FEF7281000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-52-0x000007FEF1CE0000-0x000007FEF1D47000-memory.dmp
                    Filesize

                    412KB

                  • memory/2144-54-0x000007FEF1CC0000-0x000007FEF1CD1000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-56-0x000007FEF1C90000-0x000007FEF1CB8000-memory.dmp
                    Filesize

                    160KB

                  • memory/2144-57-0x000007FEF14C0000-0x000007FEF14E4000-memory.dmp
                    Filesize

                    144KB

                  • memory/2144-55-0x000007FEF14F0000-0x000007FEF1547000-memory.dmp
                    Filesize

                    348KB

                  • memory/2144-53-0x000007FEF1550000-0x000007FEF15CC000-memory.dmp
                    Filesize

                    496KB

                  • memory/2144-58-0x000007FEF1C70000-0x000007FEF1C88000-memory.dmp
                    Filesize

                    96KB

                  • memory/2144-59-0x000007FEF1490000-0x000007FEF14B3000-memory.dmp
                    Filesize

                    140KB

                  • memory/2144-60-0x000007FEF05E0000-0x000007FEF05F1000-memory.dmp
                    Filesize

                    68KB

                  • memory/2144-61-0x000007FEF05C0000-0x000007FEF05D2000-memory.dmp
                    Filesize

                    72KB

                  • memory/2144-41-0x000007FEED9D0000-0x000007FEEEA80000-memory.dmp
                    Filesize

                    16.7MB

                  • memory/2144-34-0x000007FEF80D0000-0x000007FEF80E7000-memory.dmp
                    Filesize

                    92KB

                  • memory/2144-30-0x000000013F920000-0x000000013FA18000-memory.dmp
                    Filesize

                    992KB

                  • memory/2144-31-0x000007FEF7060000-0x000007FEF7094000-memory.dmp
                    Filesize

                    208KB

                  • memory/2144-83-0x000007FEED9D0000-0x000007FEEEA80000-memory.dmp
                    Filesize

                    16.7MB

                  • memory/2628-8-0x0000000002D00000-0x0000000002D0A000-memory.dmp
                    Filesize

                    40KB

                  • memory/2628-7-0x0000000002810000-0x0000000002818000-memory.dmp
                    Filesize

                    32KB

                  • memory/2628-6-0x000000001B590000-0x000000001B872000-memory.dmp
                    Filesize

                    2.9MB