92b8e93c694b111af7c04d32f857974122aa84c7e38931feff5ab3f41a73bd98

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA PAYMENT.vbe
Size

12KB
MD5

fbd428b36af66d92efc3d5b745bd0027
SHA1

5861ff074403f6783fc2b7c75a9dbf0ce593c077
SHA256

fee12dd38f4e7bddb43d88c548a49eca31bda69c74fe73eb65d04e53f00bf749
SHA512

3f586ee2b17c786e64e1b0244824ead9334b81d6284b38f59f2fcce02fea96650315b66077f01297248ddb9d23d76f2d6d7731ebb8d7b8f212e2e463642eebef
SSDEEP

192:vPcUXIssSUHci9rEi43NIr+MJXgu/ALk41LS8aF+OLLluK:sUXIsspep3NqJwuIo41vakOdT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2364	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2580	powershell.exe
2580	powershell.exe
1440	powershell.exe
1440	powershell.exe
1976	powershell.exe
1976	powershell.exe
2928	powershell.exe
2928	powershell.exe
1508	powershell.exe
1508	powershell.exe
2308	powershell.exe
2308	powershell.exe
1556	powershell.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3032	2152	taskeng.exe	31
PID 2152 wrote to memory of 3032	2152	taskeng.exe	31
PID 2152 wrote to memory of 3032	2152	taskeng.exe	31
PID 3032 wrote to memory of 2580	3032	WScript.exe	33
PID 3032 wrote to memory of 2580	3032	WScript.exe	33
PID 3032 wrote to memory of 2580	3032	WScript.exe	33
PID 2580 wrote to memory of 2736	2580	powershell.exe	35
PID 2580 wrote to memory of 2736	2580	powershell.exe	35
PID 2580 wrote to memory of 2736	2580	powershell.exe	35
PID 3032 wrote to memory of 1440	3032	WScript.exe	36
PID 3032 wrote to memory of 1440	3032	WScript.exe	36
PID 3032 wrote to memory of 1440	3032	WScript.exe	36
PID 1440 wrote to memory of 688	1440	powershell.exe	38
PID 1440 wrote to memory of 688	1440	powershell.exe	38
PID 1440 wrote to memory of 688	1440	powershell.exe	38
PID 3032 wrote to memory of 1976	3032	WScript.exe	39
PID 3032 wrote to memory of 1976	3032	WScript.exe	39
PID 3032 wrote to memory of 1976	3032	WScript.exe	39
PID 1976 wrote to memory of 2628	1976	powershell.exe	41
PID 1976 wrote to memory of 2628	1976	powershell.exe	41
PID 1976 wrote to memory of 2628	1976	powershell.exe	41
PID 3032 wrote to memory of 2928	3032	WScript.exe	42
PID 3032 wrote to memory of 2928	3032	WScript.exe	42
PID 3032 wrote to memory of 2928	3032	WScript.exe	42
PID 2928 wrote to memory of 1696	2928	powershell.exe	44
PID 2928 wrote to memory of 1696	2928	powershell.exe	44
PID 2928 wrote to memory of 1696	2928	powershell.exe	44
PID 3032 wrote to memory of 1508	3032	WScript.exe	45
PID 3032 wrote to memory of 1508	3032	WScript.exe	45
PID 3032 wrote to memory of 1508	3032	WScript.exe	45
PID 1508 wrote to memory of 1680	1508	powershell.exe	47
PID 1508 wrote to memory of 1680	1508	powershell.exe	47
PID 1508 wrote to memory of 1680	1508	powershell.exe	47
PID 3032 wrote to memory of 2308	3032	WScript.exe	48
PID 3032 wrote to memory of 2308	3032	WScript.exe	48
PID 3032 wrote to memory of 2308	3032	WScript.exe	48
PID 2308 wrote to memory of 996	2308	powershell.exe	50
PID 2308 wrote to memory of 996	2308	powershell.exe	50
PID 2308 wrote to memory of 996	2308	powershell.exe	50
PID 3032 wrote to memory of 1556	3032	WScript.exe	51
PID 3032 wrote to memory of 1556	3032	WScript.exe	51
PID 3032 wrote to memory of 1556	3032	WScript.exe	51
PID 1556 wrote to memory of 2924	1556	powershell.exe	53
PID 1556 wrote to memory of 2924	1556	powershell.exe	53
PID 1556 wrote to memory of 2924	1556	powershell.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOA PAYMENT.vbe"
1⤵
- Blocklisted process makes network request
PID:2364

C:\Windows\system32\taskeng.exe
taskeng.exe {31F5A188-48F4-4FA0-8622-5FC0DD00DC29} S-1-5-21-2257386474-3982792636-3902186748-1000:CTBHAMHL\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\hfEbptrblZEtKMr.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2580" "1236"
      4⤵
      PID:2736
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1440" "1244"
      4⤵
      PID:688
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1976" "1240"
      4⤵
      PID:2628
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2928" "1240"
      4⤵
      PID:1696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1508" "1232"
      4⤵
      PID:1680
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2308" "1240"
      4⤵
      PID:996
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1556" "1236"
      4⤵
      PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259524212.txt

Filesize
1KB

MD5
5aef57b2d53b4a3ecf9d4c90d5b8fc1c

SHA1
7fc0d9424d4fc66d79109ed6593814c155c10144

SHA256
22dbdc00ee4252a8af6ce903b746859195e1402d8de220929c2ec7d51db7c698

SHA512
7e523e1444565384cb4858f632a0bb4910d45d2cad08d8aeed85fcccd19b4fc547db9aef3336a18c8e040083ed522bd92f8b719acb94a8301b01d923969cb376

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538967.txt

Filesize
1KB

MD5
af0fc6ee3dd96a41acd110e89e1cccd6

SHA1
0c46fb5718e817237dbd31086215313aa1eb2e0a

SHA256
edb7b0248c8b807623c8067df87cb8be228ed99f7a1fe081595f9f20566302ff

SHA512
2bfa352ac18da1cd8abb8b66cf5168b7a831125c1939188f58f95278ce2ac6900921b7ceb5355e4bb3aee5715f59e5a4d25d93fbc8a186d5f6cc17f9bc6c15fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259557132.txt

Filesize
1KB

MD5
854bd44428d31a3e0c21c97f492d50a4

SHA1
5289e298c2ca86c970993e66168d93eccc82ba8d

SHA256
d3cdc4233aa72b9c8b558b6ba3cef03fe2749f68d614e2652d7e4a21041f3797

SHA512
e508e9e264df4c1f149e7a1e683feb05d6bdc755d6ecb756598bc9392f775ad8d53c2c4a8aff0d556ae09245fd1f98a3e84a8e4d770d1d419124f5d1daa96958

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259567809.txt

Filesize
1KB

MD5
fcbafaeaa1202c0c5016880e228a6da2

SHA1
c3eb67990791fee8810ce7dbb1e9bd09cbcea242

SHA256
636a22a4d6e831ade487b9dbb9125ecc3b285377c68e594fdaf335758a30af5f

SHA512
d16c7b713b34e5c36cdf419d3df61cadd10c0e09c7b91ae3f65a5a7354913457f9d81c6d32c9ef5b241bf1e93f808a05c115acf4d30732df9152ddfbb72dc670

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584776.txt

Filesize
1KB

MD5
b0d261131e2926fcf30120992bf086c5

SHA1
a1415a57b3d2ef9d6f78ca5565415ba7afefdcb6

SHA256
7a30a641c1225c0d225e65fb15afb12737cd6934b10bf24f72f109cf6a8ca8cb

SHA512
45c7fef5b5dbeff598c588ef780aa15a1e807cc79b4150a7f3f1b07bf0abc7a5a189f6286303ca4579e6a6141e40a58b194e58f7c6b64aa9265ed604ec5a32c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259602654.txt

Filesize
1KB

MD5
6cc20bffef4d3ba02f2cf77081cb3214

SHA1
dbb5637caa89f91bf49df62b5bae2b8dd03f044b

SHA256
14306ee5a93e2fcf9771e203511d7b121eaec9c094145e89d6ce6747a2b2a4d3

SHA512
494c333e09b3a0621034db8a5cb74ba3e7ad8c1af8d5f018678b8a4c6f661d54ae9a32d702189acabaa3bcbef3cb3505d7f3a471b86d5e29f8c2f6730f794dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259615427.txt

Filesize
1KB

MD5
3c0121b54e21d5840961e3a45a9b785f

SHA1
e583cfc19afb5be85b3962018642e3d3ca30db9c

SHA256
96c0edeabe3a49a5ecc0c7dbc5bf609815b36eb5ff2c877dc3ce54fca2b48f26

SHA512
8112624bede4bcb45479a0e646c226ade6cd2cb6cb55c00e1891c41ec3069138cbd0208cf0091808de6134cfb814a69f6ee89923d01dad273083e781bcc381b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
53725aeb88a36cf823738649c03b9467

SHA1
e1d9f2c54f4b0afdcb1d22189ecc6a19439326b8

SHA256
5c701a8aae567bc9361315a3c71db2fab7b6618eb84b1a3ba52c6969b9982c16

SHA512
90bbedec82e78c80d008afef05200d5ac5d6a1f01a038c7597c81ebf3982a7260c13938e16c4f439f3a1360bdde3f0e21d1339716997c8570de0ae62f137d01f

Download Submit
C:\Users\Admin\AppData\Roaming\hfEbptrblZEtKMr.vbs

Filesize
1KB

MD5
1cf9bc887fdc7042ade3dd8d8a7b6ea2

SHA1
fef6a955de43d8fdd33c0d4b8e5434b371c41b25

SHA256
49e9fec4dd85835e3d96f190df48ffc9370b9f046d7428a296a9f57138838c78

SHA512
7fa8e799884fb73816d028b78133b58f19472e91da9b17a7ebe73d43d043dedb362e076aa3efbcc0d71f8120ee22cd69c7fc0520e768ad7e0fdbf5cb556c9f63

Download Submit
memory/1440-17-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1440-16-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2580-8-0x0000000002C60000-0x0000000002C6A000-memory.dmp

Filesize
40KB

Download
memory/2580-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2580-6-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download