Analysis
-
max time kernel
147s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs
Resource
win10v2004-20240704-en
General
-
Target
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs
-
Size
352KB
-
MD5
c465ada59596b24ce7ec12859f022d1f
-
SHA1
ce4d09b3a355ed0f5f88bcdc1fcdac749862b728
-
SHA256
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d
-
SHA512
b9563c08c2c76334d78e73b59e5a9450469e002030b28520231708e756185742bc96f115e887753a51512616e81e9a7f4a44d3314647c088c58bbe0f644b675f
-
SSDEEP
1536:jh2F+VOLE9uko/3o1v4c4g2EePv/qcwUNQX3vGcXaA+7/BzGdZQn2sk82SCGZjjI:jeV1CZpyM
Malware Config
Signatures
-
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2144 vlc.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2628 powershell.exe 2628 powershell.exe 1448 powershell.exe 1448 powershell.exe 2316 powershell.exe 1816 powershell.exe 2316 powershell.exe 2068 powershell.exe 2068 powershell.exe 2680 powershell.exe 2680 powershell.exe 108 powershell.exe 108 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2144 vlc.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 1816 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 108 powershell.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
vlc.exepid process 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
vlc.exepid process 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe 2144 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2144 vlc.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 2920 wrote to memory of 2288 2920 taskeng.exe WScript.exe PID 2920 wrote to memory of 2288 2920 taskeng.exe WScript.exe PID 2920 wrote to memory of 2288 2920 taskeng.exe WScript.exe PID 2288 wrote to memory of 2628 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2628 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2628 2288 WScript.exe powershell.exe PID 2628 wrote to memory of 2976 2628 powershell.exe wermgr.exe PID 2628 wrote to memory of 2976 2628 powershell.exe wermgr.exe PID 2628 wrote to memory of 2976 2628 powershell.exe wermgr.exe PID 2288 wrote to memory of 1448 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 1448 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 1448 2288 WScript.exe powershell.exe PID 1448 wrote to memory of 1948 1448 powershell.exe wermgr.exe PID 1448 wrote to memory of 1948 1448 powershell.exe wermgr.exe PID 1448 wrote to memory of 1948 1448 powershell.exe wermgr.exe PID 2288 wrote to memory of 2316 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2316 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2316 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 1816 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 1816 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 1816 2288 WScript.exe powershell.exe PID 1816 wrote to memory of 2556 1816 powershell.exe wermgr.exe PID 1816 wrote to memory of 2556 1816 powershell.exe wermgr.exe PID 1816 wrote to memory of 2556 1816 powershell.exe wermgr.exe PID 2316 wrote to memory of 1924 2316 powershell.exe wermgr.exe PID 2316 wrote to memory of 1924 2316 powershell.exe wermgr.exe PID 2316 wrote to memory of 1924 2316 powershell.exe wermgr.exe PID 2288 wrote to memory of 2068 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2068 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2068 2288 WScript.exe powershell.exe PID 2068 wrote to memory of 2408 2068 powershell.exe wermgr.exe PID 2068 wrote to memory of 2408 2068 powershell.exe wermgr.exe PID 2068 wrote to memory of 2408 2068 powershell.exe wermgr.exe PID 2288 wrote to memory of 2680 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2680 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 2680 2288 WScript.exe powershell.exe PID 2680 wrote to memory of 2988 2680 powershell.exe wermgr.exe PID 2680 wrote to memory of 2988 2680 powershell.exe wermgr.exe PID 2680 wrote to memory of 2988 2680 powershell.exe wermgr.exe PID 2288 wrote to memory of 108 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 108 2288 WScript.exe powershell.exe PID 2288 wrote to memory of 108 2288 WScript.exe powershell.exe PID 108 wrote to memory of 1304 108 powershell.exe wermgr.exe PID 108 wrote to memory of 1304 108 powershell.exe wermgr.exe PID 108 wrote to memory of 1304 108 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d.vbs"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {AF9E3122-6734-4BA3-B916-E452C6D3F4CE} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\asy3.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2628" "1240"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1448" "1240"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2316" "1240"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1816" "1136"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2068" "1240"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2680" "1240"4⤵
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "108" "1232"4⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchTrace.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490813.txtFilesize
1KB
MD55617600fbe45685d3657ae7ab377027d
SHA1af5b0873cf46f04e7c4b63973947ced8d7ac75c8
SHA256490b2707751c17726ed7a7cf05e676bc3ffdc16d0db5ea2d5035d6b6f3d75799
SHA5123af120e2693ca9f288193ea91e2b5711faa3d9315dda31ea7915ff18b1abcce23a03ac35044d8d9aec1890023f8acf9c8bffcd9de1003be6341f0fee1d4eef57
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259506479.txtFilesize
1KB
MD52b3a482a66e9bb3dd4b54798c4650b41
SHA1408aaab69b8169bd0587f7bddfd34a396edcd12f
SHA256253b799bd78eb65640d0a412ec8fd44771b5731fac99b305c1cc8570a5c0065e
SHA5129c0fc5523b4caa6c14c173c75cbcd93eae96d191e33e168bd1431c21a7ddb466f0900a577d83a69173b30576e71640425f61e1a2a4fff4f14943c4747f6138c5
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259534987.txtFilesize
1KB
MD53c338ec4d5dca6dd470095c2871c8609
SHA1af9511323aebbb29e39c9669ac79a9ca3ff96780
SHA2560aa40c53dcc1abdc15bd4649e8ae852ee785291edc66d8756bb34deb37f30990
SHA512a48213349d96abd18925305867341596853797ea5e5cde7fc71d9ce0f0355c604978b88b65e07b3d811d06f69fdb8b6af59f1446a1a5a0bde563f17f4703f2b1
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538591.txtFilesize
1KB
MD5b49310fa4fc67f8003cba53cc2ba860c
SHA1f61f50947a8011997f2c9986838b41cff5ae6eac
SHA256a634e0883408c93b533c04a1fa199fc272bc7ccdd0decf76ca27a2809a664f6c
SHA5125091c82c04d602805d4383c305dcd56c7076e6b52a3fe3eb3f3f974a5ee6b93e2450782ee092e9cb7fc5dbf7a434af9f501df54f133884a62c4a276b33e65520
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259554651.txtFilesize
1KB
MD52160e9fa192931bb7b3bc445d6b3c0c9
SHA1ab150e1a1ceee4839658e03303170e6a9b57ec06
SHA2562b9782b05f366b07e4b1bedb538366588b2d7e2c350115e6f31f3872ac34514e
SHA512a780884e93d1ef9b2cc8425f67a59c675594722901908d989f224c377e13cb59f3035a7f8264300c3c78c891d4546b614a75054260a07a156e3d987e635773ca
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259564799.txtFilesize
1KB
MD544c59a3fa2b272ece4e432de5eb907ba
SHA116a4d8218afa8b4d42902aa9235d71d6b5875ba9
SHA25664b5372cc203cf9e6e482a71d812adf4a12ff320d5bc1a9540d87064c2c9faae
SHA51233008fd88f8d21423e249330a06d20bf2ea8f6c61f6ea387c46f4e791272bf0a0c0e7609f682ebb719443ce730bb163ec4ae20af269f4500c0b3bc0170305f54
-
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259582971.txtFilesize
1KB
MD57fd5279a0b3df6cbfc24c191b8cfb074
SHA1f39084897a352084586ec4caa41b74b15cf7309b
SHA256d4eda2b355fdff8c9bd61cc20a771e8ff6ad7423fb6062fa5ee666c414ea5417
SHA5129f5b1c070ae8d52018159524d588ba2693d4656c113f7d0d33ddb78bb2dc848191a57d4b8abe2deb64fb0840711c4c0bb3696345648221938b43c7c10f0b143b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5ecf1a795872df4bc35a4f70e9cdad29e
SHA16905fe33e312ceac49a5c6f85216ea5049a973eb
SHA25696294cd51b2a6d9b28fa3bac09af671e27240a6af1f4f43367fb29110721a939
SHA51279ffd08247f2b14c0dc43b065b60bf1cf2c8125f4a33a1b16b464040d1d2a448710e279f6710d03a0a579101267b426497fbacd7ddd52f79530eabfcc7735545
-
C:\Users\Admin\asy3.vbsFilesize
1KB
MD5ecd56d423345d25d32d6894da7ea9a41
SHA1fa194094d6f86b76b9ea51cbee26ea2bd93d8852
SHA25601d5fd9a203634b7d45a547cdf72a1edcd601340f37892c324b5f842b22c7b73
SHA512a6d4550a2bd57be7cd3b50754d2826a100a844553e2a4308366cdd442250989971635d3847add663ec307981e8566f9bd823dece00fac48d085f60336bf5d355
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1448-16-0x000000001B4C0000-0x000000001B7A2000-memory.dmpFilesize
2.9MB
-
memory/1448-17-0x00000000027B0000-0x00000000027B8000-memory.dmpFilesize
32KB
-
memory/2144-43-0x000007FEF2230000-0x000007FEF2251000-memory.dmpFilesize
132KB
-
memory/2144-51-0x000007FEF1D50000-0x000007FEF1D80000-memory.dmpFilesize
192KB
-
memory/2144-36-0x000007FEF6E50000-0x000007FEF6E67000-memory.dmpFilesize
92KB
-
memory/2144-37-0x000007FEF6D20000-0x000007FEF6D31000-memory.dmpFilesize
68KB
-
memory/2144-39-0x000007FEF6C60000-0x000007FEF6C71000-memory.dmpFilesize
68KB
-
memory/2144-38-0x000007FEF6C80000-0x000007FEF6C9D000-memory.dmpFilesize
116KB
-
memory/2144-32-0x000007FEF5A80000-0x000007FEF5D36000-memory.dmpFilesize
2.7MB
-
memory/2144-40-0x000007FEF0600000-0x000007FEF080B000-memory.dmpFilesize
2.0MB
-
memory/2144-44-0x000007FEF2210000-0x000007FEF2228000-memory.dmpFilesize
96KB
-
memory/2144-46-0x000007FEF21D0000-0x000007FEF21E1000-memory.dmpFilesize
68KB
-
memory/2144-47-0x000007FEF21B0000-0x000007FEF21C1000-memory.dmpFilesize
68KB
-
memory/2144-45-0x000007FEF21F0000-0x000007FEF2201000-memory.dmpFilesize
68KB
-
memory/2144-33-0x000007FEFA840000-0x000007FEFA858000-memory.dmpFilesize
96KB
-
memory/2144-42-0x000007FEF2260000-0x000007FEF22A1000-memory.dmpFilesize
260KB
-
memory/2144-48-0x000007FEF2190000-0x000007FEF21AB000-memory.dmpFilesize
108KB
-
memory/2144-49-0x000007FEF2170000-0x000007FEF2181000-memory.dmpFilesize
68KB
-
memory/2144-50-0x000007FEF1D80000-0x000007FEF1D98000-memory.dmpFilesize
96KB
-
memory/2144-35-0x000007FEF7270000-0x000007FEF7281000-memory.dmpFilesize
68KB
-
memory/2144-52-0x000007FEF1CE0000-0x000007FEF1D47000-memory.dmpFilesize
412KB
-
memory/2144-54-0x000007FEF1CC0000-0x000007FEF1CD1000-memory.dmpFilesize
68KB
-
memory/2144-56-0x000007FEF1C90000-0x000007FEF1CB8000-memory.dmpFilesize
160KB
-
memory/2144-57-0x000007FEF14C0000-0x000007FEF14E4000-memory.dmpFilesize
144KB
-
memory/2144-55-0x000007FEF14F0000-0x000007FEF1547000-memory.dmpFilesize
348KB
-
memory/2144-53-0x000007FEF1550000-0x000007FEF15CC000-memory.dmpFilesize
496KB
-
memory/2144-58-0x000007FEF1C70000-0x000007FEF1C88000-memory.dmpFilesize
96KB
-
memory/2144-59-0x000007FEF1490000-0x000007FEF14B3000-memory.dmpFilesize
140KB
-
memory/2144-60-0x000007FEF05E0000-0x000007FEF05F1000-memory.dmpFilesize
68KB
-
memory/2144-61-0x000007FEF05C0000-0x000007FEF05D2000-memory.dmpFilesize
72KB
-
memory/2144-41-0x000007FEED9D0000-0x000007FEEEA80000-memory.dmpFilesize
16.7MB
-
memory/2144-34-0x000007FEF80D0000-0x000007FEF80E7000-memory.dmpFilesize
92KB
-
memory/2144-30-0x000000013F920000-0x000000013FA18000-memory.dmpFilesize
992KB
-
memory/2144-31-0x000007FEF7060000-0x000007FEF7094000-memory.dmpFilesize
208KB
-
memory/2144-83-0x000007FEED9D0000-0x000007FEEEA80000-memory.dmpFilesize
16.7MB
-
memory/2628-8-0x0000000002D00000-0x0000000002D0A000-memory.dmpFilesize
40KB
-
memory/2628-7-0x0000000002810000-0x0000000002818000-memory.dmpFilesize
32KB
-
memory/2628-6-0x000000001B590000-0x000000001B872000-memory.dmpFilesize
2.9MB