Overview

overview

10

Static

static

1

FORM_VENDO...FO.vbe

windows7-x64

8

FORM_VENDO...FO.vbe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FORM_VENDOR_DECLARATION_BANK_INFO.vbe

  • Size

    13KB

  • MD5

    46a86b1e4d1136f04743b65d4c402b9f

  • SHA1

    dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3

  • SHA256

    db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af

  • SHA512

    5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0

  • SSDEEP

    384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score
10/10
discovery

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 11 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2680
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:116
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1176" "2720" "2572" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3140
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:940
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5020" "2808" "2748" "2812" "0" "0" "2816" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:2448
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:1080
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "904" "2732" "2664" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:3100
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3916
      • C:\Windows\system32\wermgr.exe
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3916" "2684" "2612" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        PID:5068
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ShowEnable.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
      • Process spawned unexpected child process
      PID:2240
    • C:\Windows\SysWOW64\pcaui.exe
      "C:\Windows\SysWOW64\pcaui.exe"
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    deb11eff9d6a0597b88799d114ca6518

    SHA1

    a7877e615c7f38837cce547614a44e3ed807915d

    SHA256

    8fd7adf2d88b24a209f12317c12890fa2d282be97f7bb825c30ee3ac031601d7

    SHA512

    3cedc0dacd0810bd06d297b79ee4b4a3dbbd58a9e4391945b78bbe214a634c903d0f0775aca3c9e434624d94e502e0d5518f6b353feaedb18617d900f2497c1d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    5c76b52025b860ee50eca7cc310ec6d2

    SHA1

    0f3ef3b361242099c08bcd84b4279e0de3ee9ab1

    SHA256

    ce9fa103546aade26c40fb2ec44710c799b7ac60608661b269926ba846562226

    SHA512

    025989830d4f79b934e8e0500306ed09aada128fb13f0166277a131b894a606319779d6fcea3250c981a65ef37dec6eb063f19b04acd56ecdb2767e919abb42d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    b4f957593354e47325383a8736581fa3

    SHA1

    f0383640d40dfd76422340e738a45bb89d350929

    SHA256

    2e2be1f90a58a57a366494723f4a8f0d69ab4663320258e8f9c8ca8f6fa0b4b9

    SHA512

    5d896d879748bfc5417c43970e72825e3d790148f22e71b8c03b9da16a095d02ad5d1ece19efe6c125c7673470e427bb8e0954196a44f2517d42e1cdc45e58ae

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
    Filesize

    3KB

    MD5

    1e529b381fd83f447beb6a485a74d575

    SHA1

    e674d77c837b5392f19c9d74abd2e054e0bf4cc8

    SHA256

    aa0b0b2b39c41591f0acc82695db3b52e422fb1084412e03e36e52b61309082a

    SHA512

    7abe25ef2644b3646a2eba84282c769f38ef6ca2825a31dfd1e51e206fd42732a5c0a144a6cb13be1be74d9bda9547ee02a04db03bf8caf3e77b934c20071826

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TCDA754.tmp\iso690.xsl
    Filesize

    263KB

    MD5

    ff0e07eff1333cdf9fc2523d323dd654

    SHA1

    77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

    SHA256

    3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

    SHA512

    b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqgcjl31.v5r.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    377B

    MD5

    ad1ab3372adbd10513e8df80836a0648

    SHA1

    b8072ee18aa6f4c6b1857b75a551e9ab2c460c8e

    SHA256

    1813a81a45e72afb9a2c90e1acbb89871cd285ba9eb22f100188b7dcaad1b18e

    SHA512

    9368fb731e26159718a2373449e38a87d84990df7952fc1238ea26248e91321e962389a4a13a9705b5d0da18d3b33ca41db50253f1e876b10093010916645934

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    756B

    MD5

    e116fe4ed638310b72c2d9ba4db38106

    SHA1

    1ff1a127ab5f8a5e3b4ecd18dd90505831c6d4b6

    SHA256

    b8c6dba50fb16df88a7d7d8a63711391a0268a64a838a7f39ca86ff430c7f5ff

    SHA512

    3dc41a3676d7ed28fba2ced94ed3eb8accc4e4f31a1f0372dbafea23cb6e5d6bbf8d2a1a8eeae057c1d035c4e82bc1b9e2d4b1b185ec08e6fe7ca8f561c37c26

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    252B

    MD5

    ebfba0e023f4d03fb71b92b8fb113e56

    SHA1

    311f3b6718bf19dd9de149a7d4595114b72102e7

    SHA256

    7e32c1334a9d505c09dfa297be19f05ba79f35f976a281215cc2bfbc4077fa30

    SHA512

    495334f85fd1c7d8dcb9e89c8bb0e7b6c801c589775abc59361ccd477a65c1be27347b83dadb50aaba86f2458574470715ebdfb001d3dbc77b0a103a8ce197c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
    Filesize

    504B

    MD5

    b84ef05fc58b25ab60a168534d8bd20d

    SHA1

    d71dd5fcb3cc64cf0b5cfe21edc10c5ae75abbb6

    SHA256

    96593c74c478435dbc154ed3882a3c4859b61662e13984d34e7d1ff41d7e00cf

    SHA512

    32c5f8b5b5a9515770ec06a4dc8ef29ff3b171a8ea4f34b6b6d1cd546eef2bd166007b1e90e4c14adbc50e9b50e71a45219e1c244f5c179802d8277a429a2bca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    5f14e1b8bd73213cffb60a1d4f567d04

    SHA1

    a8ec34024cbf1ebf1719a38c05cce66a7de9da94

    SHA256

    271f4b4e5081c703c36afefea9e6b29ea09abbc4197075cf43c79d2e7592d406

    SHA512

    b555b34f115a4290218ba6ccd58b94b24d567dc7c19d4c84502e645f9636c434a91a39e98daa1bc990acdc04353f82f34fff291e0cd3e60e615c778802b57825

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    dcc29db32467869abf5af94b16b577a4

    SHA1

    9c7755606147bd535b7543661145d251c361c74c

    SHA256

    5e71cc260afabe9de3e9c9f626df6891be956533bf2547c31f5c9d9972a10af3

    SHA512

    6b8d959c61aabf61f507f3fd4ddbdbba61188eff6f1839e592d428e9fb7fd8d2c20b8d3ecb9f08de16cefdf921310592b1e29637a537f3e6630c63069f7f3c21

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    1bafa6236dc4c1cb6f8bf5c6547bce0f

    SHA1

    132933de0bca4bb1a70a0e79b71ad043c8b1d361

    SHA256

    63d6c815cd4ec4839db905195e0ed889d84133f3427c64457bd5a8ca9e090253

    SHA512

    275b13089d903f84768715cf60605482f2d15aa0462e572cd8523501a707651ff7d66200abf8780dc5b9967cf4e4f8b060f0a72a80e80d7bd0917388f6fec6cb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    3280ab453bd302c59d0c932a9ce3d283

    SHA1

    70c770e8cb780fe54aa9d30bcc0b62914af6fe10

    SHA256

    98beb2b90bfa71ffe2cd455e66722a137def07db1e84ceeee580664a37e49692

    SHA512

    fdb044ede8092c645ed905c00abef78c2f0a2350f4cd362460e56f95c96685beede75e1156bffb9cc8f831e490795b70177a2411b03bcade0618081dee7dca31

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    6KB

    MD5

    797358da3dc7bcc9da88eb643f00d0c9

    SHA1

    ab19afd3bc06658b79e24735ae7df428d148b258

    SHA256

    d4d6ec760a5c1841a28b0553eb076d938a493d32385118c40528576db55296f7

    SHA512

    311ec0bdbe407e7a4593b7ceaefd8b1050df047f16b9725eb076e9d72beeb638dc9d320832d248fec52f0ee02e3f7c4e28edd6e1cbace8ad9254970a0bbaad14

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
    Filesize

    3KB

    MD5

    d1d2da11a6fef7a947f6294e399c29d0

    SHA1

    7460cb359709ec434476cd8cdb06109316334325

    SHA256

    072b65d22b50a57a98501ef6d9ffcb45420e3ef86a9e7caa9d9d6ac08768bd79

    SHA512

    d63b5abf53e81d9d51cd896558fc78f97537aa120cc04836535dc80f948717e7424a65c4e3919958e7752679302f542bdd2b72cc21310e3aedb0e09a820d115e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs
    Filesize

    2KB

    MD5

    48a6b987d0cde29aca20f8162a24e89b

    SHA1

    44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

    SHA256

    693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

    SHA512

    00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/116-19-0x0000000000B30000-0x0000000000B77000-memory.dmp

    Filesize

    284KB

    Download

  • memory/348-79-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-82-0x00007FF8D64F0000-0x00007FF8D6500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-80-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-77-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-78-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-76-0x00007FF8D8730000-0x00007FF8D8740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-81-0x00007FF8D64F0000-0x00007FF8D6500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/348-278-0x0000020942BE0000-0x0000020942CEB000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1080-275-0x0000000000F40000-0x0000000000F87000-memory.dmp

    Filesize

    284KB

    Download

  • memory/1176-17-0x000001C06E8E0000-0x000001C06E8E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1176-15-0x000001C06E9E0000-0x000001C06EA56000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1176-18-0x000001C06E8F0000-0x000001C06E8FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1176-14-0x000001C06E910000-0x000001C06E954000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1176-13-0x000001C06C4D0000-0x000001C06C4F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3648-276-0x0000000000940000-0x0000000000983000-memory.dmp

    Filesize

    268KB

    Download

  • memory/3648-277-0x0000000000940000-0x0000000000983000-memory.dmp

    Filesize

    268KB

    Download