4bbc8b70e00b04913c72fffbfe4d3f15f327c29ec24f6e6cdb27bd78e7c3dc32

Analysis

max time kernel
138s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORM_VENDOR_DECLARATION_BANK_INFO.vbe
Size

13KB
MD5

46a86b1e4d1136f04743b65d4c402b9f
SHA1

dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256

db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
SHA512

5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0
SSDEEP

384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 2544 WScript.exe

flow	pid	process
2	2544	WScript.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2072	powershell.exe
2072	powershell.exe
980	powershell.exe
980	powershell.exe
1812	powershell.exe
1812	powershell.exe
584	powershell.exe
584	powershell.exe
2092	powershell.exe
2092	powershell.exe
900	powershell.exe
900	powershell.exe
800	powershell.exe
800	powershell.exe
2188	powershell.exe
2188	powershell.exe
2952	powershell.exe
2952	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2712 wrote to memory of 2832	2712	taskeng.exe	WScript.exe
PID 2712 wrote to memory of 2832	2712	taskeng.exe	WScript.exe
PID 2712 wrote to memory of 2832	2712	taskeng.exe	WScript.exe
PID 2832 wrote to memory of 2072	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2072	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2072	2832	WScript.exe	powershell.exe
PID 2072 wrote to memory of 3060	2072	powershell.exe	wermgr.exe
PID 2072 wrote to memory of 3060	2072	powershell.exe	wermgr.exe
PID 2072 wrote to memory of 3060	2072	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 980	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 980	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 980	2832	WScript.exe	powershell.exe
PID 980 wrote to memory of 2016	980	powershell.exe	wermgr.exe
PID 980 wrote to memory of 2016	980	powershell.exe	wermgr.exe
PID 980 wrote to memory of 2016	980	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 1812	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 1812	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 1812	2832	WScript.exe	powershell.exe
PID 1812 wrote to memory of 2436	1812	powershell.exe	wermgr.exe
PID 1812 wrote to memory of 2436	1812	powershell.exe	wermgr.exe
PID 1812 wrote to memory of 2436	1812	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 584	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 584	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 584	2832	WScript.exe	powershell.exe
PID 584 wrote to memory of 2996	584	powershell.exe	wermgr.exe
PID 584 wrote to memory of 2996	584	powershell.exe	wermgr.exe
PID 584 wrote to memory of 2996	584	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 2092	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2092	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2092	2832	WScript.exe	powershell.exe
PID 2092 wrote to memory of 1396	2092	powershell.exe	wermgr.exe
PID 2092 wrote to memory of 1396	2092	powershell.exe	wermgr.exe
PID 2092 wrote to memory of 1396	2092	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 900	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 900	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 900	2832	WScript.exe	powershell.exe
PID 900 wrote to memory of 1340	900	powershell.exe	wermgr.exe
PID 900 wrote to memory of 1340	900	powershell.exe	wermgr.exe
PID 900 wrote to memory of 1340	900	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 800	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 800	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 800	2832	WScript.exe	powershell.exe
PID 800 wrote to memory of 1600	800	powershell.exe	wermgr.exe
PID 800 wrote to memory of 1600	800	powershell.exe	wermgr.exe
PID 800 wrote to memory of 1600	800	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 2188	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2188	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2188	2832	WScript.exe	powershell.exe
PID 2188 wrote to memory of 2620	2188	powershell.exe	wermgr.exe
PID 2188 wrote to memory of 2620	2188	powershell.exe	wermgr.exe
PID 2188 wrote to memory of 2620	2188	powershell.exe	wermgr.exe
PID 2832 wrote to memory of 2952	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2952	2832	WScript.exe	powershell.exe
PID 2832 wrote to memory of 2952	2832	WScript.exe	powershell.exe
PID 2952 wrote to memory of 1872	2952	powershell.exe	wermgr.exe
PID 2952 wrote to memory of 1872	2952	powershell.exe	wermgr.exe
PID 2952 wrote to memory of 1872	2952	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
1⤵
- Blocklisted process makes network request
PID:2544

C:\Windows\system32\taskeng.exe
taskeng.exe {6D6DBFF7-AAA1-46A6-9F0A-F501F0EA472F} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2072" "1164"
      4⤵
      PID:3060
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "980" "1284"
      4⤵
      PID:2016
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1812" "1156"
      4⤵
      PID:2436
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "584" "1148"
      4⤵
      PID:2996
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2092" "1144"
      4⤵
      PID:1396
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "900" "1160"
      4⤵
      PID:1340
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:800
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "800" "1152"
      4⤵
      PID:1600
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2188" "1160"
      4⤵
      PID:2620
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2952" "1272"
      4⤵
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259448286.txt

Filesize
1KB

MD5
97467b42836ba2b5973d4cf2298fd043

SHA1
5130212b9655ef8e162f97c9ecf72060687d9bf4

SHA256
93c672de85beb33ed8e0002e275edb29ee4ae0dfba22e45ae12ee3b1a48a60c4

SHA512
42e8bedd0f8d5ccab957e22d1a7f89b9a60eb3e56a0bd811620b71b137aa8978f3d6296fc3830b237e7571d45b73bd76e49af9d6fa768be8a2a176c526909bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259458466.txt

Filesize
1KB

MD5
f58b86e67ab0c369d32c68e4a7eb17de

SHA1
0098b13434e0f81698737d7457334489ea71f787

SHA256
1deeca4d0eb845ab91b18e307998459cc77ea4466f00720ee4a258f0eb1e59d7

SHA512
a1fefa614681d5f85d7b983e10590bc45faa38c7a0102f7c57f33a03d9444aa397da9fd820360786a63871ee7aa91ba1f806b03bc4d872774859c8f8af5209bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259475586.txt

Filesize
1KB

MD5
9d4536db45b06df2f75d4dac9832554a

SHA1
72a36d9c8c31c95ece10a371a1efc9141eb35dfe

SHA256
53cbe58417481cd6ae6bc53912bd3ad5de5d2fa05c7ef85059717fefc074923b

SHA512
a67f70364a488d457883f9494ad4604e071333193fc9552ac5c8377d2055d1120a2755f4ce836af1e006785875854e142227a5c93224ed3dfe3f0715fee880b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490335.txt

Filesize
1KB

MD5
a7747385932ed6c35c91a9218f55192e

SHA1
e10c6d6b73283ad6336c78d2647cfb26db5a962c

SHA256
13fddbc10589d860a66d4ecde32b9be9d29df19e9cec008b7b1df86532f531a6

SHA512
bed84dc9e6cbb43576b098bb54746b869920d81b49feea1cf454422826318d07ab77ed5d2960104ea0db9e19f72b0ced444585f7e85b5de2e0a8d477cf528aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259506523.txt

Filesize
1KB

MD5
8564fa9a093faee3eaf5bac93eb0cec2

SHA1
9e76f5a4d9f88c62344466363c4af5829b6861c8

SHA256
7e107539a6cbd679bb965196a98ad6a7eac3d7b1634104e88b655c2ca2e03bb0

SHA512
7c9ea13d7d35860c2406b67ebdc02c2a14909bd79d6bd38e39a92118682adf594929e0891c50a43acb320ac5fe0bc08c3fa2e680d9b4814fcb9a91642f9db21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259520947.txt

Filesize
1KB

MD5
9259b0668937e4714afc0138b1eef8e7

SHA1
362a9d1df954e5b50b64b9e945c9fff85962fc35

SHA256
2ad5b0e0aaa191b15fc57f01a14c9a27a2228c71b564a3b430a15b509770ecd8

SHA512
5bdc0ac7ce7bacfc20fc214e8e29ff1de541344f22749f49d7db3f44c50dd09bfc4891d2f89a45c6f2523ec19921fbfab2893ae4affd89457bed1ce452b487cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259539063.txt

Filesize
1KB

MD5
fe6f9edbff7fa27d6d97b74662c87342

SHA1
aab05ecedb1d8d5e76cd978b1db1c96281ec1f33

SHA256
35168ca7bf3cb4ceaca345357899ff77be99f7b6b5926d13fd3b40fbe7dea382

SHA512
aa94223493d1ef6cd4da86fef80619e1df1131c12cb33c8ec55f139eabdcff3e865f6d3c0cce7f29818a3bac15b4cb79ad008a4ad56fd0d7c9780a1d02073603

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259554459.txt

Filesize
1KB

MD5
a16cc1ea1cb525c6d1a88f334965d867

SHA1
20f47f51a4bab77c3c956801921f0cec41e79ac6

SHA256
351260535cd825385ec8690cc42fa8603b32dd22e749c5c9bfa953b06b10c04b

SHA512
67b90b328b2e7548e579c997c7534f97c2abea9c86f0bfde9346c867ba81ccef01e826f0a2255a3f1db10dd730e3ce74b2cece6fbe5124472fa772ea5976d8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259567455.txt

Filesize
1KB

MD5
ac1a9c9f2fc89beb66f8a516ba352e9a

SHA1
86d3c9df102b82c63fc23ccf59ec20c0f0a975df

SHA256
8016566e9fe782fc8ff5ded88fbbd9d3841a53581acdb5741f27cd6d3894fe55

SHA512
fd6e654b5a1df19c666bd4ff4bedf93fb6ca8748d750bcba51ef9d8738836fff4e3811b5b567e3d85fd9b2156fb6efeaa390ac273b63cd2cdf94f92adadd753b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
35cfccd67be377f9a9d5b58fa81c15ce

SHA1
f8364c2942c3b8e02f150c2e38015af2fd86d937

SHA256
ed95a0ff7f50d1de8d4e347a42e2cc430311d83a55d9dff73c62ec7da9e8b411

SHA512
aaaf83ada1c9e9e067a0f55db204c33641d81ed97a0d8173fc4d25ddca07426536d470d64ffae5dba97d4d324ff24de99d665c5a81103486a5059d0ac0a34bed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NUKOHRCVULTRVVMUYBSU.temp

Filesize
7KB

MD5
bcbecc946cf5c1bbc37341d856419958

SHA1
dadd40697dcf677aae35246bb9b591072a7b93fa

SHA256
eed6a15923f11c1b964871d3d71c670ff8f0810cfbd0901aa5123a81a50cea46

SHA512
76e6137cf8ebac00079bd7c0359ee3d83a35a6e65d70216604291a3768ad24e61dc8688b41a655d6ca40f89dff855b9bfbdef24b52339fddea3c74589b7008ca

Download Submit
C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs

Filesize
2KB

MD5
48a6b987d0cde29aca20f8162a24e89b

SHA1
44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

SHA256
693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

SHA512
00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

Download Submit
memory/980-18-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/980-17-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2072-9-0x000000001BCB0000-0x000000001BCBA000-memory.dmp

Filesize
40KB

Download
memory/2072-8-0x0000000002D90000-0x0000000002D98000-memory.dmp

Filesize
32KB

Download
memory/2072-7-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2072-6-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download