4bbc8b70e00b04913c72fffbfe4d3f15f327c29ec24f6e6cdb27bd78e7c3dc32

Resubmissions

27-08-2024 14:08

240827-rfnhjawdkn 8

27-08-2024 14:06

240827-rer5bswcqp 8

26-08-2024 14:14

240826-rj5afsyhmk 9

Analysis

max time kernel
73s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORM_VENDOR_DECLARATION_BANK_INFO.vbe
Size

13KB
MD5

46a86b1e4d1136f04743b65d4c402b9f
SHA1

dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256

db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
SHA512

5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0
SSDEEP

384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

1 1656 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
1	1656	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2920 set thread context of 4640 2920 powershell.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2920 set thread context of 4640	2920	powershell.exe	AddInProcess32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings OpenWith.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4848	powershell.exe
4848	powershell.exe
836	powershell.exe
836	powershell.exe
836	powershell.exe
2388	powershell.exe
2388	powershell.exe
2388	powershell.exe
2920	powershell.exe
2920	powershell.exe
2920	powershell.exe
4384	powershell.exe
4384	powershell.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exe

pid process

4400 OpenWith.exe
4400 OpenWith.exe
4400 OpenWith.exe
4400 OpenWith.exe
4400 OpenWith.exe

pid	process
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe
4400	OpenWith.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 532 wrote to memory of 4848	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 4848	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 836	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 836	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 2388	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 2388	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 2920	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 2920	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 4384	532	WScript.exe	powershell.exe
PID 532 wrote to memory of 4384	532	WScript.exe	powershell.exe
PID 2920 wrote to memory of 4640	2920	powershell.exe	AddInProcess32.exe
PID 2920 wrote to memory of 4640	2920	powershell.exe	AddInProcess32.exe
PID 2920 wrote to memory of 4640	2920	powershell.exe	AddInProcess32.exe
PID 2920 wrote to memory of 4640	2920	powershell.exe	AddInProcess32.exe
PID 2920 wrote to memory of 4640	2920	powershell.exe	AddInProcess32.exe
PID 2920 wrote to memory of 4640	2920	powershell.exe	AddInProcess32.exe
PID 4384 wrote to memory of 1640	4384	powershell.exe	wermgr.exe
PID 4384 wrote to memory of 1640	4384	powershell.exe	wermgr.exe
PID 2920 wrote to memory of 2496	2920	powershell.exe	wermgr.exe
PID 2920 wrote to memory of 2496	2920	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
1⤵
- Blocklisted process makes network request
PID:1656

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4640
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2920" "2724" "2400" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2496
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4384" "2676" "2608" "2680" "0" "0" "2684" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
eac89c18702b68c88895ef5259a554a1

SHA1
af14286e8b31a9d5e15a1ebc5bf6bd6f2d0675fe

SHA256
8a2ace3858600ce55b7a22030bbb16795e7b594f17f3a7572ff6aaaa24b4a198

SHA512
4244df91807081cbb8698edf0ee237b96bfe627f5a85be018050c4c6cbf52496aa5a0123fd213dd1602cabf55ea265a5b1d66a4d7d035aa41cf443eed42a15a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
6e6d88960a2258f4590e97c382884634

SHA1
244736513d2d071227c3df04532e67c818e7c9cd

SHA256
84cc5d85e71eed874541bd9724ebec8827a12b730b72bd8040fec29ab8a37a50

SHA512
d2d5d9aa3fb3b9ac0984f2d06da26c857f6d5479a41caa6b54e04e59b9682283219223a7b217cb9e719bad57381030aa87a9b92a6ed15d865f6d6b1eb96bce2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0lsoeu4k.rxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
886e4beb498ff85de52f5483b82d91e9

SHA1
179a6cffb34fe31704a8ba022e556fc3e3ac6e67

SHA256
69dc1387fa9fa6a9e5d31efc81b7481cc007b9ba7d0ed0ca64d4ee5f2bad66f6

SHA512
78b14a8e3841b68a2d104d3fff5a29b44d4389f70fe67ec7c93d45331be57b66f364c800a8c85eecad14321fc7ded9cf6e9bb8c3d826371f00e9452715449047

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3f8532f9b0c3f20ba99299e2408b7a6f

SHA1
29612eb957542e9c0a2b25c6455d05a28df67a46

SHA256
d9ed9775818af86a81c09fbcdfc4649ff937b6faa050d03e674a3d06fe88aeb7

SHA512
a3f0a325191759562fbd9968777e0547f6c2a854047fa1aeb0bfc6309391a1140eea1f19487a1f338c4fe5b20f43abb4742f11268c9dfb8f0961687a9d08c201

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
bf6b477525c35d502ef716aeaccdf856

SHA1
0d125fff8cfda2dfed252f88ee43c0a959160272

SHA256
166b89d7054f268963fe22c6c361fa180a1ca462afb0fc070cf04791c59dbb50

SHA512
01ea0a75fdfe520f0742f46453e9e40473c989da1c659cce375491260de56121238fb0597b7be9d81df8cf4463be649c8ff1715dfb38f109ca66df8d90ce3617

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
fbd36ffdb8ec890b74f566d90aa4306b

SHA1
85579bf6d17dc70ff5c839b8f2ef16013dc6312b

SHA256
ce2c20372cd6a6a0a1e1905b816e18f6b95e01476d5c03907ecef468bf29321d

SHA512
eddc721a0081ae53437aeb67079f1a987b112585365bd09c57e839a9d009235a69fcd94be2eb5539f51c6f76a356877bf357d857c0770fc1f606b3ce4d964891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
eb065fd17eb3ed9703a74579099f0edb

SHA1
bd66fab1a65cb33813c0ec1a8930c67e0fc7207d

SHA256
5443f3f1efdbd9104cc8b8d12a413bb9cd96e76cf47f1bfbd892b53ace730774

SHA512
f562a12d845110cdbec9f86f77420d4d3c7427d11eed911638e418f1678e81cfe096290547556b2304e2b344234751a9a98b064b28f139c291025d854ee9bdcb

Download Submit
C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs

Filesize
2KB

MD5
48a6b987d0cde29aca20f8162a24e89b

SHA1
44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

SHA256
693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

SHA512
00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2920-88-0x0000019AC87D0000-0x0000019AC87DA000-memory.dmp

Filesize
40KB

Download
memory/2920-89-0x0000019AC8830000-0x0000019AC883A000-memory.dmp

Filesize
40KB

Download
memory/4640-90-0x0000000000190000-0x00000000001D7000-memory.dmp

Filesize
284KB

Download
memory/4848-15-0x000001D05EDA0000-0x000001D05EE16000-memory.dmp

Filesize
472KB

Download
memory/4848-14-0x000001D045F60000-0x000001D045FA4000-memory.dmp

Filesize
272KB

Download
memory/4848-13-0x000001D045F30000-0x000001D045F52000-memory.dmp

Filesize
136KB

Download