4bbc8b70e00b04913c72fffbfe4d3f15f327c29ec24f6e6cdb27bd78e7c3dc32

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORM_VENDOR_DECLARATION_BANK_INFO.vbe
Size

13KB
MD5

46a86b1e4d1136f04743b65d4c402b9f
SHA1

dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256

db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
SHA512

5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0
SSDEEP

384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

1 2104 WScript.exe

flow	pid	process
1	2104	WScript.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2716	powershell.exe
2716	powershell.exe
596	powershell.exe
596	powershell.exe
2932	powershell.exe
2932	powershell.exe
704	powershell.exe
704	powershell.exe
1608	powershell.exe
1608	powershell.exe
1980	powershell.exe
1980	powershell.exe
2396	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2712 wrote to memory of 2684	2712	taskeng.exe	WScript.exe
PID 2712 wrote to memory of 2684	2712	taskeng.exe	WScript.exe
PID 2712 wrote to memory of 2684	2712	taskeng.exe	WScript.exe
PID 2684 wrote to memory of 2716	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 2716	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 2716	2684	WScript.exe	powershell.exe
PID 2716 wrote to memory of 580	2716	powershell.exe	wermgr.exe
PID 2716 wrote to memory of 580	2716	powershell.exe	wermgr.exe
PID 2716 wrote to memory of 580	2716	powershell.exe	wermgr.exe
PID 2684 wrote to memory of 596	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 596	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 596	2684	WScript.exe	powershell.exe
PID 596 wrote to memory of 1508	596	powershell.exe	wermgr.exe
PID 596 wrote to memory of 1508	596	powershell.exe	wermgr.exe
PID 596 wrote to memory of 1508	596	powershell.exe	wermgr.exe
PID 2684 wrote to memory of 2932	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 2932	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 2932	2684	WScript.exe	powershell.exe
PID 2932 wrote to memory of 3060	2932	powershell.exe	wermgr.exe
PID 2932 wrote to memory of 3060	2932	powershell.exe	wermgr.exe
PID 2932 wrote to memory of 3060	2932	powershell.exe	wermgr.exe
PID 2684 wrote to memory of 704	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 704	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 704	2684	WScript.exe	powershell.exe
PID 704 wrote to memory of 340	704	powershell.exe	wermgr.exe
PID 704 wrote to memory of 340	704	powershell.exe	wermgr.exe
PID 704 wrote to memory of 340	704	powershell.exe	wermgr.exe
PID 2684 wrote to memory of 1608	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 1608	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 1608	2684	WScript.exe	powershell.exe
PID 1608 wrote to memory of 3056	1608	powershell.exe	wermgr.exe
PID 1608 wrote to memory of 3056	1608	powershell.exe	wermgr.exe
PID 1608 wrote to memory of 3056	1608	powershell.exe	wermgr.exe
PID 2684 wrote to memory of 1980	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 1980	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 1980	2684	WScript.exe	powershell.exe
PID 1980 wrote to memory of 2508	1980	powershell.exe	wermgr.exe
PID 1980 wrote to memory of 2508	1980	powershell.exe	wermgr.exe
PID 1980 wrote to memory of 2508	1980	powershell.exe	wermgr.exe
PID 2684 wrote to memory of 2396	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 2396	2684	WScript.exe	powershell.exe
PID 2684 wrote to memory of 2396	2684	WScript.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
1⤵
- Blocklisted process makes network request
PID:2104

C:\Windows\system32\taskeng.exe
taskeng.exe {9BF16FDD-E57F-4768-A14F-E6B3F2CDF6A0} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2716" "1276"
      4⤵
      PID:580
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "596" "1156"
      4⤵
      PID:1508
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2932" "1152"
      4⤵
      PID:3060
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "704" "1164"
      4⤵
      PID:340
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1608" "1160"
      4⤵
      PID:3056
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1980" "1160"
      4⤵
      PID:2508
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490290.txt

Filesize
1KB

MD5
9417b3491f77ae6b66c7e8b80381c82a

SHA1
171e63274bc31e95dce69b830f9a1e030a00f9c2

SHA256
3fc0985d4d05257b357614c942e920a71418b80c0fb49a07f5670723d84f2a3c

SHA512
978eebe0e7f37a69b8d4ad730b243220b7cf57c075ad2b7afede18072bf47cb939debd7a8f2d4595a6e6639377c90671c6c04ae4e00a482e06abe0e14d9c739d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259512026.txt

Filesize
1KB

MD5
3ac0916df731d3333573cb97901c504c

SHA1
51abe775da27d0dd173deb9093800f97ac0a4fb1

SHA256
1e3f283a00cb82595a298b7731fd59663d0f5d3ebaa75e1088b04deb5d5b4654

SHA512
3df1009fb883131c1701b2f6d20439799ce7fe0f4247e4d998485fefbc1ea7f615a5b9f2c1dddc1d140e0bf757790ea068dfb8f819679da0046fdce13893b827

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259526202.txt

Filesize
1KB

MD5
df0f75ad493cc05ca55323e995e6e585

SHA1
7e6e549841053ba8386fe0ce0af0ce7c0b844f95

SHA256
39d15e25faae1aee60ac2aaab1257632bac50f611ea8bdbaf8f84aaade6a6867

SHA512
87095be4d6399b39ef38cd8e4bbaecef4e01dd22dee3a302a8fdf5d109606d40e525927d3b7af3cb8e3a2e33cb37485564d21029b2c23911dbbe942397dfda0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259542190.txt

Filesize
1KB

MD5
99316adb9ac12c4963a9b096629d6a9f

SHA1
da9a0d9189b8cc0f37ff8d75df4aded8aaf6c11a

SHA256
938a3eb8180231ea8098516744686d7f8375db78cf58e7e5570216a27a3cf358

SHA512
bc01e44ecc7f497a4425acdd5e9ba97ff75c8c1214651a395274c3bd4daf1fdbc282173beb3a796d5d690926580b1755201bd4a88333a42bab309a7fcb8e9848

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259553638.txt

Filesize
1KB

MD5
182e3679ee805c0ee02288fd4b46414c

SHA1
ba74f4e5cb7d9b4d4fb9a7430600360b7e7b9bef

SHA256
1ba386453d2b65df648e5523133d2e91cbb793ec7eb39e6a2915660dd366f990

SHA512
413408e710601437e722dc55ab3246f10aebbf345439de261aa8a74e2d4d0c8e3437f421fb2a341a8ec151dc293a7385515012ed87693ecb61f0e2f228b1c238

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259575794.txt

Filesize
1KB

MD5
43f08597a48a9b11d64cd840e7209dba

SHA1
c50e2f4a14761e260fda35a6cf0ac7e8548c83e3

SHA256
4efaf67cb2c7a689aa13c1872ca0c860e070184f314d1d0608b15989311e5ebc

SHA512
1820cda6126b1749ca7a65167e332fff7882f3cd9178e6cc4e04fe53f4d36682de87a3a21cff85a5f68c953b4b078772591c0b0bcaf42ee8f304744b69203155

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
be2e75a806da3716fe65b2d1e00e60ea

SHA1
bac3a624e41007b03fb9a0ce50b516c8e2477afb

SHA256
fb80681be835658622b6cee4fdb23a2f15ba4d01a12ad13b8210169cfb4962d9

SHA512
9bea608ba61af5158fd5b0cd95686092aaa8bdd35ef377b56ad694867d63f1959e4963924b3de81d760fc4379abaae1c4b3300d997ad5c1837128f32898f8710

Download Submit
C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs

Filesize
2KB

MD5
48a6b987d0cde29aca20f8162a24e89b

SHA1
44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

SHA256
693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

SHA512
00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/596-17-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/596-18-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2716-9-0x0000000002C60000-0x0000000002C6A000-memory.dmp

Filesize
40KB

Download
memory/2716-8-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/2716-7-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2716-6-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download