3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf

Resubmissions

04/09/2024, 14:41

240904-r2xnbstdjb 7

10/04/2024, 10:27

240410-mhk3zacd83 7

Analysis

max time kernel
124s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 14:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf.vbs
Size

6KB
MD5

e3eb6e9bc8321adb844e30606ed275a4
SHA1

a8730f75bc6bf86e39b26cbf7ec9ab71883012f9
SHA256

3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf
SHA512

0025ccbd19bdc213c438aaa41b0160e6f83d345394ab06c090ef37d512d63fca8732aaba51fd0e5c00aeed2865806426b788ef50ce88ffb429381abe29bd9fa3
SSDEEP

96:elifguAgKNtexhBCCutCviwSHlmhhFOR3az0sAMWlP:88E4q2M3aWlP

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ResumeConvertFrom.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 020000000100000000000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "7"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\NodeSlot = "9"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2\0\0\NodeSlot = "10"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "6"	rundll32.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2000	schtasks.exe
1084	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	rundll32.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
2400	rundll32.exe
1520	WORDPAD.EXE
1520	WORDPAD.EXE
1520	WORDPAD.EXE
1520	WORDPAD.EXE
1520	WORDPAD.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2704	2532	WScript.exe	33
PID 2532 wrote to memory of 2704	2532	WScript.exe	33
PID 2532 wrote to memory of 2704	2532	WScript.exe	33
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2532 wrote to memory of 2716	2532	WScript.exe	35
PID 2716 wrote to memory of 2840	2716	cmd.exe	37
PID 2716 wrote to memory of 2840	2716	cmd.exe	37
PID 2716 wrote to memory of 2840	2716	cmd.exe	37
PID 2532 wrote to memory of 2884	2532	WScript.exe	40
PID 2532 wrote to memory of 2884	2532	WScript.exe	40
PID 2532 wrote to memory of 2884	2532	WScript.exe	40
PID 2532 wrote to memory of 2884	2532	WScript.exe	40
PID 2532 wrote to memory of 2000	2532	WScript.exe	43
PID 2532 wrote to memory of 2000	2532	WScript.exe	43
PID 2532 wrote to memory of 2000	2532	WScript.exe	43
PID 2532 wrote to memory of 2948	2532	WScript.exe	45
PID 2532 wrote to memory of 2948	2532	WScript.exe	45
PID 2532 wrote to memory of 2948	2532	WScript.exe	45
PID 2948 wrote to memory of 2132	2948	cmd.exe	47
PID 2948 wrote to memory of 2132	2948	cmd.exe	47
PID 2948 wrote to memory of 2132	2948	cmd.exe	47
PID 1720 wrote to memory of 1952	1720	WScript.exe	49
PID 1720 wrote to memory of 1952	1720	WScript.exe	49
PID 1720 wrote to memory of 1952	1720	WScript.exe	49
PID 1720 wrote to memory of 1572	1720	WScript.exe	51
PID 1720 wrote to memory of 1572	1720	WScript.exe	51
PID 1720 wrote to memory of 1572	1720	WScript.exe	51
PID 1572 wrote to memory of 264	1572	cmd.exe	53
PID 1572 wrote to memory of 264	1572	cmd.exe	53
PID 1572 wrote to memory of 264	1572	cmd.exe	53
PID 1720 wrote to memory of 3036	1720	WScript.exe	56
PID 1720 wrote to memory of 3036	1720	WScript.exe	56
PID 1720 wrote to memory of 3036	1720	WScript.exe	56
PID 1720 wrote to memory of 3036	1720	WScript.exe	56
PID 1720 wrote to memory of 1084	1720	WScript.exe	58
PID 1720 wrote to memory of 1084	1720	WScript.exe	58
PID 1720 wrote to memory of 1084	1720	WScript.exe	58
PID 1720 wrote to memory of 1600	1720	WScript.exe	60
PID 1720 wrote to memory of 1600	1720	WScript.exe	60
PID 1720 wrote to memory of 1600	1720	WScript.exe	60
PID 1600 wrote to memory of 296	1600	cmd.exe	62
PID 1600 wrote to memory of 296	1600	cmd.exe	62
PID 1600 wrote to memory of 296	1600	cmd.exe	62
PID 2400 wrote to memory of 1520	2400	rundll32.exe	63
PID 2400 wrote to memory of 1520	2400	rundll32.exe	63
PID 2400 wrote to memory of 1520	2400	rundll32.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dir /b C:\Windows\Microsoft.Net\Framework\v4.* >1.txt
  2⤵
  PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c where /r C:\Windows\Microsoft.NET\Framework\ csc.exe > 1.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\where.exe
    where /r C:\Windows\Microsoft.NET\Framework\ csc.exe
    3⤵
    PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /out:C:\Users\Public\content\content.exe /target:winexe /resource:C:\Users\Public\content\content.bin C:\Users\Public\content\content.cs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /CREATE /sc minute /mo 5 /tn "S-1-5-21-1846800975-3917212583-2893086201-1000S-1-5-21-1846800975-3917212583-2893086201-1000" /tr "C:\Users\Public\content\content.exe" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS /Query /FO LIST /V /tn S-1-5-21-1846800975-3917212583-2893086201-1000S-1-5-21-1846800975-3917212583-2893086201-1000 > 2.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Query /FO LIST /V /tn S-1-5-21-1846800975-3917212583-2893086201-1000S-1-5-21-1846800975-3917212583-2893086201-1000
    3⤵
    PID:2132

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c dir /b C:\Windows\Microsoft.Net\Framework\v4.* >1.txt
  2⤵
  PID:1952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c where /r C:\Windows\Microsoft.NET\Framework\ csc.exe > 1.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\where.exe
    where /r C:\Windows\Microsoft.NET\Framework\ csc.exe
    3⤵
    PID:264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /out:C:\Users\Public\content\content.exe /target:winexe /resource:C:\Users\Public\content\content.bin C:\Users\Public\content\content.cs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /CREATE /sc minute /mo 5 /tn "S-1-5-21-1846800975-3917212583-2893086201-1000S-1-5-21-1846800975-3917212583-2893086201-1000" /tr "C:\Users\Public\content\content.exe" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c SCHTASKS /Query /FO LIST /V /tn S-1-5-21-1846800975-3917212583-2893086201-1000S-1-5-21-1846800975-3917212583-2893086201-1000 > 2.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Query /FO LIST /V /tn S-1-5-21-1846800975-3917212583-2893086201-1000S-1-5-21-1846800975-3917212583-2893086201-1000
    3⤵
    PID:296

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf.vbs
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
  "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf.vbs"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.txt

Filesize
12B

MD5
1553a24788772d819bf65e65d640a83a

SHA1
78833dd13f8f6abea09c340585bd16e311f9f053

SHA256
e20bd636aa3b121a5e1961de234bcd3e26a022b8d976f6b4b6d3c1f908df54a1

SHA512
b5b1e8ee4fa1349f75a310eeea2d6b8888093060ef07223ee0a0b9fef63f69adaa8553cb2e26ec37a188a7350f930d6a273107f7c6a75593502fde2203d73a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.txt

Filesize
159B

MD5
2b21fa1eb8b60826214409656af634a6

SHA1
9ba74502483b020a8d8d6ee012844b5ab607a4a6

SHA256
31db3ceb02898746e946f215cfba712f28deacb12569eb9da67871231574f0b7

SHA512
2eca18acbecab8f9822afbc16215d299e34c23e3686db759fe87e354cf1aa7935ab7318958a378f05c9e677e8fb218a7439c8f0dfecee8ad924e942902d702e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.txt

Filesize
1KB

MD5
8e1179f68288345810303d5206057b0a

SHA1
00aa66faeeb32362dd171444a71a81223a154c4e

SHA256
5e2b27f90e9a873733a471ba945a046519798ae6600b83deed21dac23ef149f1

SHA512
5fd7718c54845126df7151c375b1a36f0c6438ed31185d39d1575a7261e10e6b530870b652014f12a617918455305780c080b177a0e056bd099364730ac48a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.txt

Filesize
1KB

MD5
df99e9815c790ff3627d62383827d822

SHA1
519380664f2977508adeb98fd4c53711df905601

SHA256
a3e22856b1006afde3d2be394ca5b1d8d7e131fca23dd15148c98ad81153ee00

SHA512
559ab811104afc500d3cf39096ed537c7524d2c15e1d8885a3d621a1b6b1690912e371cd5c86bc14b71b01cc4f0f6f28fa9f0986478e1af86f3f94709a67e1fa

Download Submit
memory/2400-10-0x0000000004010000-0x0000000004020000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads