Overview

overview

8

Static

static

1

FORM_VENDO...FO.vbe

windows7-x64

8

FORM_VENDO...FO.vbe

windows10-2004-x64

8

Resubmissions

27-08-2024 14:08

240827-rfnhjawdkn 8

27-08-2024 14:06

240827-rer5bswcqp 8

26-08-2024 14:14

240826-rj5afsyhmk 9

Analysis

  • max time kernel
    156s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-08-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FORM_VENDOR_DECLARATION_BANK_INFO.vbe

  • Size

    13KB

  • MD5

    46a86b1e4d1136f04743b65d4c402b9f

  • SHA1

    dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3

  • SHA256

    db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af

  • SHA512

    5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0

  • SSDEEP

    384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:4812
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2816
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2344
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2484" "2728" "2656" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4092
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1492
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4744" "2788" "2724" "2792" "0" "0" "2796" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3284
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4092" "2708" "2616" "2712" "0" "0" "2716" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:4980
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4668
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1440" "2720" "2708" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:1404
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "664" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    9461a7cfb20ff5381df28f51b80c5ef1

    SHA1

    c86c53fca1dcbe307dafbefbb366abf52c9f5eca

    SHA256

    d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

    SHA512

    da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    0ad22baf919b9ed6150024990e670877

    SHA1

    4b48e4f79977c984ea0e4c79fb6b3ef7ddc5577a

    SHA256

    5914f7b7d8b913460c066f19daf70418ad303102446cb17c2b68ec542fffe318

    SHA512

    84e7a9d84d120eda90ab62aa33ed72725139c57f7f4100e3db6c2a978617e7f9debbe1e55993031b2322dfe3c96bc5c45bdcc2c48c9264fd0c7f91da5c2bc8b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    0fa890bcc24627b309591f8d2a692028

    SHA1

    edba7cfb6fee6860c862d4b384a03cdebe535ee4

    SHA256

    48b7a3f9b77f9ca8c6e20c9a35dfc8068ad8006f43e6e94c2c46fdb9c35c15c5

    SHA512

    a34380e2422782a3bab9842424dc41005e4878f735b2aa5d9aa80cbb1a6d4901c50f4022a70fe5232e5e6e9c35f11d6df62908a1b2d1e6a9aa531510430260ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    586ccad17bc2629076a79f28230ca29e

    SHA1

    2cb46b6b23f121baac1d56efbe89804cffcdcca4

    SHA256

    113b68dbf0ad5ca0ed25326b1f6b25413c8d1613bf0cb5db7b5921511eee25e1

    SHA512

    2c759327a9d0e3d49a9f7b48719010b1d97d2df1a62122dc29125ff8ba523f731bf7187c1575f5900c9c27124497b4f90aea37dcf978c0a1db6cdb000cf290c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emo0xmvb.1lq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    504B

    MD5

    b84ef05fc58b25ab60a168534d8bd20d

    SHA1

    d71dd5fcb3cc64cf0b5cfe21edc10c5ae75abbb6

    SHA256

    96593c74c478435dbc154ed3882a3c4859b61662e13984d34e7d1ff41d7e00cf

    SHA512

    32c5f8b5b5a9515770ec06a4dc8ef29ff3b171a8ea4f34b6b6d1cd546eef2bd166007b1e90e4c14adbc50e9b50e71a45219e1c244f5c179802d8277a429a2bca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    252B

    MD5

    ebfba0e023f4d03fb71b92b8fb113e56

    SHA1

    311f3b6718bf19dd9de149a7d4595114b72102e7

    SHA256

    7e32c1334a9d505c09dfa297be19f05ba79f35f976a281215cc2bfbc4077fa30

    SHA512

    495334f85fd1c7d8dcb9e89c8bb0e7b6c801c589775abc59361ccd477a65c1be27347b83dadb50aaba86f2458574470715ebdfb001d3dbc77b0a103a8ce197c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    093ee503d26d815d914da87ae678e78c

    SHA1

    0afba63efd13954eca5f3acd428e363095134720

    SHA256

    3e7aca777dab77b661cc4a030445147cbf21b697c7e9970f809372dcb585f8d5

    SHA512

    964c8203003394d013100441c45454d4a0a82fd867eb52c70c65363367d0379e3f7f154fab0e8f510d142b78e4927d171004c4659e0cd9313296e626a4c89e0e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    e70a4ebccad4f4c4736ddafd7e0f7a87

    SHA1

    3798df9faa41e67b88f1571fd475ad1e1c0eb006

    SHA256

    49c530234cd0c476184abc972cbbe04fe4c817cb987ccb83a4e332f659a4a01a

    SHA512

    bdd4167d8de3e4511509cb394511850dfceed6373091c0c47aa3a670127bf5cd047798bdb97a6db4bc868c871463aa5c9bc7ddc4947e6855321e6c87667ccc0c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    9b0b464a1e6790724cda1b60f415c512

    SHA1

    5a09b47f5d2b18ae68dc06b81e84e77ec5cb9dd4

    SHA256

    307d496636cc324d8940e0d50c3a941f82c342d3b49cc25ba300d00750eef179

    SHA512

    4e061bec02e579c5b07476ddd3435d68ca96500e7983f558431951f7db458fea69502740b4fe9e6903b9ef4f89e40fc02e75b75265957331bf10ed2467d4f317

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    920c41518df89ffd75f2edcc406ba8d6

    SHA1

    e43f93718f655ee9f2e3ffc188bb2065de6c4d71

    SHA256

    3fd03dcf52030e16965d600ae76799f4f40ba1aabbcc408b18cb7c32c7bd65db

    SHA512

    37654597875b346b599ac887975b755709d1a764201b3091130d70feb0eff31656f5ba0935854db12a66e8c804eefb28177dc39a0ff77e4147c412574d706e0e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    a0e196cbad6c1c1993073ab7ee1aa3ed

    SHA1

    b1e63bcfe091c566b2d0d9cb05ecba4da30ecdde

    SHA256

    53233b2d0e5bd82d344f27195a24e23675c20838b1d8632a78e05f058f0c54b6

    SHA512

    d0cf55522707913553d3d1073440c7fe48517c56c54c90909621cbdeb5b11cb42211cc4478cb031d01d380750c01bd074648f8b036987e500338401909c17dbc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs
    Filesize

    2KB

    MD5

    48a6b987d0cde29aca20f8162a24e89b

    SHA1

    44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

    SHA256

    693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

    SHA512

    00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/2344-19-0x0000000001300000-0x0000000001347000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2484-13-0x000002A279A10000-0x000002A279A32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2484-18-0x000002A27C5B0000-0x000002A27C5BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2484-17-0x000002A27A090000-0x000002A27A09A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2484-15-0x000002A27C630000-0x000002A27C6A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2484-14-0x000002A27C560000-0x000002A27C5A4000-memory.dmp

    Filesize

    272KB

    Download