4bbc8b70e00b04913c72fffbfe4d3f15f327c29ec24f6e6cdb27bd78e7c3dc32

Analysis

max time kernel
146s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORM_VENDOR_DECLARATION_BANK_INFO.vbe
Size

13KB
MD5

46a86b1e4d1136f04743b65d4c402b9f
SHA1

dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256

db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
SHA512

5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0
SSDEEP

384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 3924 WScript.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
3	3924	WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 1040 set thread context of 4980	1040	powershell.exe	AddInProcess32.exe
PID 3364 set thread context of 4528	3364	powershell.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exewermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exewermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

powershell.exeAddInProcess32.exepowershell.exepowershell.exeAddInProcess32.exe

pid	process
1040	powershell.exe
1040	powershell.exe
1040	powershell.exe
1040	powershell.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
3364	powershell.exe
3364	powershell.exe
3364	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
3364	powershell.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe
4528	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1040 powershell.exe
Token: SeDebugPrivilege 3364 powershell.exe
Token: SeDebugPrivilege 3140 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	3364	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WScript.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4780 wrote to memory of 1040	4780	WScript.exe	powershell.exe
PID 4780 wrote to memory of 1040	4780	WScript.exe	powershell.exe
PID 1040 wrote to memory of 4980	1040	powershell.exe	AddInProcess32.exe
PID 1040 wrote to memory of 4980	1040	powershell.exe	AddInProcess32.exe
PID 1040 wrote to memory of 4980	1040	powershell.exe	AddInProcess32.exe
PID 1040 wrote to memory of 4980	1040	powershell.exe	AddInProcess32.exe
PID 1040 wrote to memory of 4980	1040	powershell.exe	AddInProcess32.exe
PID 1040 wrote to memory of 4980	1040	powershell.exe	AddInProcess32.exe
PID 1040 wrote to memory of 2448	1040	powershell.exe	wermgr.exe
PID 1040 wrote to memory of 2448	1040	powershell.exe	wermgr.exe
PID 4780 wrote to memory of 3364	4780	WScript.exe	powershell.exe
PID 4780 wrote to memory of 3364	4780	WScript.exe	powershell.exe
PID 4780 wrote to memory of 3140	4780	WScript.exe	powershell.exe
PID 4780 wrote to memory of 3140	4780	WScript.exe	powershell.exe
PID 3364 wrote to memory of 4528	3364	powershell.exe	AddInProcess32.exe
PID 3364 wrote to memory of 4528	3364	powershell.exe	AddInProcess32.exe
PID 3364 wrote to memory of 4528	3364	powershell.exe	AddInProcess32.exe
PID 3364 wrote to memory of 4528	3364	powershell.exe	AddInProcess32.exe
PID 3364 wrote to memory of 4528	3364	powershell.exe	AddInProcess32.exe
PID 3364 wrote to memory of 4528	3364	powershell.exe	AddInProcess32.exe
PID 3364 wrote to memory of 5088	3364	powershell.exe	wermgr.exe
PID 3364 wrote to memory of 5088	3364	powershell.exe	wermgr.exe
PID 3140 wrote to memory of 4052	3140	powershell.exe	wermgr.exe
PID 3140 wrote to memory of 4052	3140	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
1⤵
- Blocklisted process makes network request
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:8
1⤵
PID:5096

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4980
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1040" "2716" "2200" "2720" "0" "0" "2724" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2448
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3364" "2732" "2668" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5088
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3140" "2708" "2636" "2712" "0" "0" "2716" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9461a7cfb20ff5381df28f51b80c5ef1

SHA1
c86c53fca1dcbe307dafbefbb366abf52c9f5eca

SHA256
d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

SHA512
da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
0fa890bcc24627b309591f8d2a692028

SHA1
edba7cfb6fee6860c862d4b384a03cdebe535ee4

SHA256
48b7a3f9b77f9ca8c6e20c9a35dfc8068ad8006f43e6e94c2c46fdb9c35c15c5

SHA512
a34380e2422782a3bab9842424dc41005e4878f735b2aa5d9aa80cbb1a6d4901c50f4022a70fe5232e5e6e9c35f11d6df62908a1b2d1e6a9aa531510430260ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
819f23fbe2d0c7b81aced0fa3d6f7e6c

SHA1
a2a97faef580296a3a77ae469d9b84d1e160a741

SHA256
3b96210da6a90110312c232678b8206af55ed41d6b1957aadae767bd8107c7c0

SHA512
2203505dfa4549acf44a76714389fca3c98b632636db485e5acacb728fe1f158ac47a62e9d1fcc7322b6fe308640645fc3a6e3e942bbd1e372f43183e4eaa331

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5auwhrgk.ry5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
252B

MD5
ebfba0e023f4d03fb71b92b8fb113e56

SHA1
311f3b6718bf19dd9de149a7d4595114b72102e7

SHA256
7e32c1334a9d505c09dfa297be19f05ba79f35f976a281215cc2bfbc4077fa30

SHA512
495334f85fd1c7d8dcb9e89c8bb0e7b6c801c589775abc59361ccd477a65c1be27347b83dadb50aaba86f2458574470715ebdfb001d3dbc77b0a103a8ce197c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f5eb6682c7f27bdea9fe92aceb0d6dd4

SHA1
ef194bfbcecf961f95c30d7a2b5c8e0f6689cc84

SHA256
9c8295d8b165e2bdf3d2ee7f20b95671d7110d7a68416b26143a79926307ebed

SHA512
09e880ad64953fbb58c4e57a842e43d1b5577a30a8a9b8196b390b4a2e7097bc2a51710e2a1c4ac424c13b6ad2417972310bb95ebe0dddcc82882f9a29c5973e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
80896d39aa297e0b875620cdccd86a7c

SHA1
6af7b176b70c6ffefce9c32cf1b1ba89da4de511

SHA256
837af7ee84cc0a9da2464b36d0314f2ff5e59613e307dc3a5c91b63fbca65489

SHA512
1890db36e4a040aaca5222222b0653d2cec87e93fff021aef2b99236a6d385cebd09a1bbd11ab9fc5d738787d687b4c46d94053f76b7238fc5a2c3dbcef90c1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
688f61a0a87254710012451504c7087a

SHA1
978ac9f0e2d5d67df6f725fe41f688efb58c7735

SHA256
24b110701461935933ac6320ffd7a9f52ef8115d0b414fcc2541031a4121b4b9

SHA512
2fb002f44d8a2273f1726dde8f14e0e4843645619b0d8952a4a451d0955c4883a7ca97ed6956c80401e6ceb943e0680d046bd838d5d97521382ac7fabf2fad4e

Download Submit
C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs

Filesize
2KB

MD5
48a6b987d0cde29aca20f8162a24e89b

SHA1
44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

SHA256
693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

SHA512
00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1040-18-0x0000022D568D0000-0x0000022D568DA000-memory.dmp

Filesize
40KB

Download
memory/1040-17-0x0000022D568C0000-0x0000022D568C8000-memory.dmp

Filesize
32KB

Download
memory/1040-15-0x0000022D577D0000-0x0000022D57846000-memory.dmp

Filesize
472KB

Download
memory/1040-14-0x0000022D57700000-0x0000022D57744000-memory.dmp

Filesize
272KB

Download
memory/1040-13-0x0000022D3E760000-0x0000022D3E782000-memory.dmp

Filesize
136KB

Download
memory/4980-19-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download