Analysis
-
max time kernel
1800s -
max time network
1560s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
18-07-2024 12:10
General
-
Target
target.vbs
-
Size
1B
-
MD5
7215ee9c7d9dc229d2921a40e899ec5f
-
SHA1
b858cb282617fb0956d960215c8e84d1ccf909c6
-
SHA256
36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068
-
SHA512
f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768
Malware Config
Signatures
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies registry class 47 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\LimitStop.vbs"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\LimitStop.vbs"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\LimitStop.vbs"1⤵
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n1⤵
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 10002⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
-
C:\Windows\system32\tree.comtree2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\ApprovePublish.xltFilesize
270KB
MD51f4755dee9ade7d0c71ff83fe55cb3df
SHA16a73365dde1ec0d859550911bd3f825fa9c93c07
SHA256662d006e6b618d14b8c82659967def8a89bfde2b6d18ba17ff9cc0c7c71d09fd
SHA512a6463ed8eb3dae0ab93d63f05bc6140231de9e8aae4d835047ff33168d4c881bf9266ca4f21d5d40d16a2d36f904f6f508c4fd4247e8e11111deac05615e45e2
-
C:\Users\Admin\Desktop\AssertInvoke.wdpFilesize
317KB
MD5b9c348449c1b2c6d98d0ba92a1275fa7
SHA13c440199e5a3d34e5cb5308bd8164693c87dd80e
SHA256495e22bbe2faa6bf6cf1b4012f6c1cbea9b5028a24b1cb2e0a277f1f2d117be4
SHA512088408e600dd304187c1c72b966924be5f450dae2c30e6f7ea5749271c416a8201e0f767d0b77609ba3d349b1870140bf7ef630a20ffc52180d37313b0a713b8
-
C:\Users\Admin\Desktop\BackupStep.TTSFilesize
364KB
MD53a44180f022537cb824a5979e2451dec
SHA163a01ba0cfae216f8c382fcb8ba6a33deb9f228b
SHA2562f759a0257c29814f2eb50d23292d683dc155fa304626e0dd11d6477c2c76a80
SHA512203af9ce7eced99946dc72ecdb08036d57e93679409e9a125934e644d5e6d3e1a7c162a93d76abf04ef43c66b53af3534791fae07c38f8ded1e227820be4a2d2
-
C:\Users\Admin\Desktop\CheckpointSplit.movFilesize
293KB
MD53afedbf435b01b1a9c56334c40c8b785
SHA15080cc6864c15ac331b3d77d230273ea771217ba
SHA256c87914d3e42a253db0b46df39122b3cf124687a559ec8f7b8561a94609c338ac
SHA512bd1c8d149be7f952b67e6af714ca3e610548daf6a2e9606abca997d070b28fd0ffc9974945d365896699347cc2abe0b4ee4830e9b0a96ca9f629327cba447f76
-
C:\Users\Admin\Desktop\ConvertRemove.vbeFilesize
223KB
MD52aacf7535f45747142afc8b8ede7e2d6
SHA11b378fe689e2760c240d9c76378219703a1f1706
SHA256d3fcaaf535b70c2b72b086daccd78b6a947ff53322b343304146b90c9a556024
SHA512146af1a7f0a01f3dadf6a6630959597772d2de7e58cad87b64df583642aee211412c84f0abe39eb4882eb2fdb7e305f88c77b33f8094bd02261ab9b74174ef3f
-
C:\Users\Admin\Desktop\DisableRead.jsFilesize
164KB
MD55267569b5a2639d68177d83b69a685b4
SHA11ee659087d936dd33b22bd07aecd2191f92e2142
SHA256638d5135384d40c6355f9824d77396e2b01e4c68d426b6ac0cfc52ffbfc9598e
SHA512acf94d7cd8ac578682c3356738077c105f2c31cf0265fc34cfe500ce19b7474de1c2eeb04d5d410b2519f9d881bd9b9563d2ce950303acbb642aaa4b84f09e69
-
C:\Users\Admin\Desktop\ExpandSelect.tiffFilesize
188KB
MD52be7a5a63f9f61399d10f8208c43f090
SHA17552e56f6f3623201ac4194614c69bcd154d017c
SHA2568e2faecfd6a908f8918ed25b5f610f639eba286a1b98c5d2b1022ef95fb0f24f
SHA512899dad7fb679c71886573cfb675c3eef4e4be31cac90d38cb77298eab79c4e05879e6f50a22a84e63ea6a40d9c19230cf63f58e5f5af4d7e85bb8ab148ddce72
-
C:\Users\Admin\Desktop\ExportUnblock.mpeg3Filesize
211KB
MD58043372aba62d0d996af7ee191f85a4c
SHA1b3239151e65b41433a80fac96d079fef93ebb704
SHA2565cbb21cec197e1194ed4d8678e75ed1dba1b450f85520fede1bc07c5d754f65e
SHA5127f2a7757a29af39d6597c380f2fc92dbabfd7ad92da59a3e749538984109cc38fe7f6901b631c1b87f3d7c43e2a3c176c3121145f08247b69ae3449eb9b809f0
-
C:\Users\Admin\Desktop\FindApprove.MODFilesize
176KB
MD50677921d41b264bf6fb1d710c190e779
SHA1266d841aa706879d65d4be45da5fee9151eace71
SHA256bdac283b2987bad025822e47f7b4354023aed0b80f9a8e3dff42ad01b3de7d3f
SHA51247c70dd57d1127b7f792df3822bd0705cd1fbc6ce0625ae89db9d859a62c2624bccc875c7f655752fd1813a8ba89fb8450a7066207c763f1090ac381a50088fd
-
C:\Users\Admin\Desktop\InstallHide.vswFilesize
434KB
MD5e2813d525995237dbaf47916329f0904
SHA1cd189adab63a39aff830438f4367f25a5171ae77
SHA256fab8b3d4c4b3b077d259d275e674f09ecbeb59ca5beec8745f587cfe3d81b8e8
SHA512ef7a50c6adba1d10cb187d99ecd3f84d916977d3ac6e9d28786589074527178766c6e02a2ec96485bd274314fd22439857b69b158ca21a8b93f6f5db460581d7
-
C:\Users\Admin\Desktop\InstallSync.3gpFilesize
646KB
MD51b04d9d42f11082187976d609fc02ab8
SHA169000eef8c9a865078721f42d7735054a8f91ff0
SHA25638ddcd0825e619cc0b3bd4d1d9a72f099d41fc36d7f0637594d68649c31ff852
SHA5126833adafb64d47d448a13aef0438b2731b0626ee432cc5074e69bdf59fad2278e06fe3b4abb031be61f268bb8509046d5eff1856ce0b2e4ca9baf9e954044c89
-
C:\Users\Admin\Desktop\JoinApprove.TTSFilesize
282KB
MD5fcd28c8135be3efbde126325e6705626
SHA17f3b1bbeac90dd811868d444e8ec92f1adc21426
SHA2569338ab296f279b2161b5cd9cd3ba16bd702e345cdb723b253695e3590bee9487
SHA5127a5dc023158793e49e7aa5c775aaeeb9869eebae9ae29758b71c64cfa7d45f2ad8b7f6b440ff20a806782b8e8a3e81c17f72f54426bf13024dfcadc48146c7c5
-
C:\Users\Admin\Desktop\LimitStop.vbsFilesize
411KB
MD5558424a297dd92cc119031b659e0af9b
SHA1d45d9cb8e8c0b0c2d5b8aade57362a4c81f06a0a
SHA256d8a6783fb52b9153bcb0e3bd00ba27832ad0a821583a29eed0daed6812378dc5
SHA512fd11b0db68c10a954f5a7b1ef823bbc1286ea2bdf9a57e0dfb79f7fedc3066bfd50add3aef6dea43869695a159011e7d2d1a2934554361546610f92d633a391e
-
C:\Users\Admin\Desktop\LoadData-Albania.batFilesize
1KB
MD5a6a6c4a646cd50c6b3c89622d96a28c8
SHA154cb075f3485311a9bfb436d65a6f6da037351ec
SHA256d53421f5ba9f8865c2b7e9a26073c0e82758df1e852ec6d7b6f2eabc35fc5db6
SHA5124befc81120d84136513bf3039a2a36aa587c22ffe5ebb6af205bbb13f4e04976d36e5495a3b70e7f23923b923f3b7af45c944c11650b55964169a253fff048cc
-
C:\Users\Admin\Desktop\LockUnpublish.rtfFilesize
258KB
MD5dfb92fb6bb544a0f01c287a61c8be759
SHA12af70f6e68d63b0fc251077194821a7ad5692a7d
SHA256ad0709ab4dd92729cd9e82342dd771be90beabbdfbded135c33346f0cf69f6dd
SHA51251734c4cd61faf99827419cdf195647390ba73bf7242ed7f96bfd102bd22eee3096851af8ad545b64de27c64f2d1ec025c86955431d3cb2242479df19b24d3d9
-
C:\Users\Admin\Desktop\MeasureRepair.xlsFilesize
470KB
MD5a66d39f2e853b29ef01d531e5f0fd0ba
SHA12df416cc12462d81fbf234ff8526bce53fa1c089
SHA256c7809649c84b84258dec74d5377008b9d474567bd80868e64d118f743a3ba554
SHA51253543490cff8b5999564797e4c249dc51eb5ccd34a16b6c5b02cb1beee343ba598e8a3489513512aebb789057c725c540b8077772f0a1290112442641c36defd
-
C:\Users\Admin\Desktop\MountReset.docxFilesize
17KB
MD5b5c639e1c6ff7895df66ceed84cd5876
SHA195cef1b9fa28cae46901915fb9fefb8b40111d1c
SHA2561b80e0f3472c3e031a1d117a233abcb4a1579a5965fd7a6afda24129e212c67d
SHA51246e53e9cb539d353f1c2ae216aebb44686337bcc0a67d778d8060e80d9de079a5cb19685345724f0c1d3b382602c6d23e1594d5b9ee917f2a8174d0b6de64874
-
C:\Users\Admin\Desktop\OutEdit.jtxFilesize
246KB
MD54410d758fddcbb2923b746681e77fea1
SHA16a06a0078a55fd849ff42b8bf143ac0ed140b2e5
SHA256816e84d1834de78f6f53282c4cb56ce2186b232c28a407d9664fefde79b7da87
SHA5120552aa4b5912760cd941d3e9e10fed0318448aa8785a417ea05d5dd2959dbadfefd9d7e897e0a8acf3428578987d1757c1e3f8cb15b62ede59bd4feb75b6af78
-
C:\Users\Admin\Desktop\PingInitialize.tiffFilesize
235KB
MD543d22b0bcb66cb8ef5b1d95b49a2bf13
SHA1ef298b87c1a0991016561a9cc10f9ca9ddb7f7f3
SHA256f3c3c714dbeafe84a9d0749eee89c15c040d4b395a9aa1d60a93afa9d552e8c1
SHA5125a707285f243a9072a89e5bcd8d7a36ba750588fda81d1feea864d756a92e5d97ef8fc234a200f668f7d573f2d66c162ff174fd9e328fd5de4b9264fa0b8c446
-
C:\Users\Admin\Desktop\ProtectBackup.dibFilesize
423KB
MD5e9b01ab033790772fd60fb5babbc67db
SHA1a4d62395bc5aa5484ca23a798eef7af9e7472c0a
SHA25669506fe7fda9ed4382139c200d489665664b6c3851519f2c6be5599cb7d07359
SHA5127800a2a267acaa0206b915df398ab5f94e065a584444d840bdc0dfec2ffaecbbe6773f301d1a0754dac03c3c7961c05ae26a7abfd7bc26b7ad1f09ecb7f04a33
-
C:\Users\Admin\Desktop\RedoSave.asfFilesize
446KB
MD5add05fbcdaf090d2b081fb912ec053c3
SHA1d30083f56da672628a425c07341f82f2a5947a64
SHA2560597adf67c8677be10573ebf38106cc9f90fa51e8c53ce4a5137ddbedb82ffa7
SHA51220fa8bdfa404b5697612705e18bf3621b7d029493dbbfa01edc777f72d2344198a1d0102391b0f24cf41b4ff3b8dae5f6f677bc09c29c7f42a4d5e928b7641ea
-
C:\Users\Admin\Desktop\RenameHide.dibFilesize
340KB
MD537004ddcfc88fb72f21a64615d189da5
SHA1570777172c181ba8f920064bea7d571f6f9397e4
SHA256e8d8be2b522f31c9a5c4dbabde263ebc80898742dc3b7d7902aa4921cb3f9317
SHA512b313102ca5097df786edf5727634196a2aa3fe9fd220b82f6fc42db44325db796393beb4fec02f4971b8891865074cebf607c3dac285456cdd993f930cb667ea
-
C:\Users\Admin\Desktop\RenameRemove.3gppFilesize
376KB
MD5416641e06c8061dfa03f9bae1f152e74
SHA1364a28f9d8fa5ce9f0b301d2c576d90c8eb86cb6
SHA2565005b85747470193ce3a1a22c33c8547fd25226a6a37ed06af0e524cdd797d79
SHA512eb7154e2ea335ef52ebf5ca7c88d897513f47393f629cba69a097b58ea609b160723ae2965cc123468b0c0b989a0c65ab78ce661aec435fb24101c4c7f4fb49e
-
C:\Users\Admin\Desktop\RequestSubmit.docxFilesize
18KB
MD58d8f5f1eb0df6724442e06f0abe7ba9f
SHA17f0fd538527b64cecbe79520caf25d76979036b5
SHA2562164100aafefbe933ffe2f565a04e00525be34c89374ee3ea9d0103dfa93f200
SHA51295b29533696f92a0ccfce2eb739ec4d8631f2b2aa61a36723e7bc8afee9934afd98a4febb9d583ccabc3f27c8aeba8f56ecba9717109bac1bdd6c71d79fdea8b
-
C:\Users\Admin\Desktop\ResetSkip.vstmFilesize
352KB
MD54def7094bed28af5f6cdf67ad20e7a5e
SHA1a63bc2a0735fc57f9381095b8060a27f4e907c2a
SHA2562568edc9a4053c1860ec331c3ffa599f1c40a6175027f0332b4b540c5aaeb39d
SHA512addd03e72e8746f2758e9f4ef1cf8fbe421c7f05130f1d79056447d075cb0ecfa15a63bfe2c21405b5e5fdc7061c9b2bf3965f7b8869d44c7d94ba62a5d86568
-
C:\Users\Admin\Desktop\SearchRestart.iniFilesize
305KB
MD5367cb2e12bce7e67079d640c6cf35a3a
SHA17cbd716aaa2fedad8284ffa694ccf0b489c52c7a
SHA256d0f2771c7be98c6ac2280254d431196f3bd1d847f62172462f851d78954832d2
SHA51270b077281f8ae97f028643911598be158c0da6c3eeb9034d0a365f671edca46b1acf955ecddb925398ea10f8c0c5286bd065b047f650075fc6ba166e84cbd396
-
C:\Users\Admin\Desktop\SearchUnregister.mp2vFilesize
458KB
MD52b9d1b29914890c3717b166668f80945
SHA1c7ee2f532e535386108111edf1cf740f5b5a8da4
SHA256d323110b90937d42ad774e0995a7e263f2f391f8feb9653b720a81a47f1483f3
SHA512071c3bc625203d9f1ba33fdb605d1a5f4f6f703abdf6c38ca457f8f702333b96044dfb54f8e2bdfbf55f0457c05a916ea3513834cc7aa96962725630980f0433
-
C:\Users\Admin\Desktop\SelectResolve.M2VFilesize
199KB
MD586435fa18982b9360fa8488ff9e77911
SHA19d1019996f521c911e6c451f6e41d41ca96d209a
SHA256edcce6fbe871bf9b6cf9287633870c8df4151987458ecfbba068bc1a097faa15
SHA512aa80c96e686085ae4d97d0d5de12ef52391bcd286015b4cc59de6918d6b23c3a0ee88b4d0dcb0a3832b530d32f6d9e8870ac316ac123a5521a4c72f4b044ccf2
-
C:\Users\Admin\Desktop\SendGrant.aviFilesize
329KB
MD516a76d238f0e4366d1ce63cd859eeb14
SHA18284d3b7f61c73cf1a73dabe302977b2fadc7541
SHA256fd8bffda6cb2baac362eda2802fe4686ac9ff8cc8f5bee7c5b479cb1c0de5fd7
SHA512c13a994edb37d6e118d0985541540b45f83f0a4e3c2d050c59f075c4b1ee97f664a7ad7ea0f31a91a4a96a3ce257542c518a5cddcb2d34ae6f798f17a6814957
-
C:\Users\Admin\Desktop\SwitchUndo.rtfFilesize
399KB
MD5d1fa8d1e9ab26f30c9f88f9d1d4eb405
SHA1a7b97499bfe643f451dcb2082dd30f3ce89519b4
SHA2565ba08b35f1213ad675a102a1f4a55da19e74be1e26a323574d3ca39aab94bd46
SHA512634e091352d58fdc1ddf53da8c8ac040bcdf21190c4fdc722a9b58acbd9465240020b5048758b22e663a1d29a8859291725d0fbd61ceafee41ecefc5ba7b2123
-
C:\Users\Admin\Desktop\UnpublishGrant.vsdFilesize
387KB
MD5dabff5e648d8f6d32aa4390440a236ac
SHA183ab0af0f3e5099dc9054b1aff1276ba5b587963
SHA25610c28db775906298cb05bfb8f5411884cc754bce0be29dc5cc8da18cc188b08a
SHA5123c3544821a5ab40152e666027d7605beb116cb7a6fd9eb4eebb658611bf13025ce02df4501e6da475456572a2c827a3f61661c89ab8eb3ebbedbfd76ad9ed9e8
-
memory/1112-24-0x0000000072AFD000-0x0000000072B08000-memory.dmpFilesize
44KB
-
memory/1112-23-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1112-22-0x0000000072AFD000-0x0000000072B08000-memory.dmpFilesize
44KB
-
memory/1112-21-0x0000000072AFD000-0x0000000072B08000-memory.dmpFilesize
44KB
-
memory/1112-20-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1816-35-0x0000000004E90000-0x0000000004EA0000-memory.dmpFilesize
64KB