ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff

Analysis

max time kernel
147s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff.vbe
Size

13KB
MD5

a6af6f6ddf4ddf8b2b7b1f2634383835
SHA1

336a5775a5d073c7f84c3102d4a235354203a5cf
SHA256

ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff
SHA512

300223c1c6ef6aab23d10791643fcdf0edf0cfea38dfe72581a76fd461c596f9417295873484df0e9520c6ea1d047c4ff5bc487509ae6f1dbbc98e7a1cf983aa
SSDEEP

384:uEP6YUlp+y4DdVWrXDL6SuvTra0qtRFWSBQXW:DSp+y4ZYvGVvT3qtKYQG

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2228	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2452	powershell.exe
2452	powershell.exe
2144	powershell.exe
2144	powershell.exe
2184	powershell.exe
2184	powershell.exe
3024	powershell.exe
3024	powershell.exe
2480	powershell.exe
2480	powershell.exe
784	powershell.exe
784	powershell.exe
1572	powershell.exe
1572	powershell.exe
1588	powershell.exe
1588	powershell.exe
2896	powershell.exe
2896	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2420	2700	taskeng.exe	30
PID 2700 wrote to memory of 2420	2700	taskeng.exe	30
PID 2700 wrote to memory of 2420	2700	taskeng.exe	30
PID 2420 wrote to memory of 2452	2420	WScript.exe	32
PID 2420 wrote to memory of 2452	2420	WScript.exe	32
PID 2420 wrote to memory of 2452	2420	WScript.exe	32
PID 2452 wrote to memory of 1492	2452	powershell.exe	34
PID 2452 wrote to memory of 1492	2452	powershell.exe	34
PID 2452 wrote to memory of 1492	2452	powershell.exe	34
PID 2420 wrote to memory of 2144	2420	WScript.exe	35
PID 2420 wrote to memory of 2144	2420	WScript.exe	35
PID 2420 wrote to memory of 2144	2420	WScript.exe	35
PID 2144 wrote to memory of 1312	2144	powershell.exe	37
PID 2144 wrote to memory of 1312	2144	powershell.exe	37
PID 2144 wrote to memory of 1312	2144	powershell.exe	37
PID 2420 wrote to memory of 2184	2420	WScript.exe	38
PID 2420 wrote to memory of 2184	2420	WScript.exe	38
PID 2420 wrote to memory of 2184	2420	WScript.exe	38
PID 2184 wrote to memory of 324	2184	powershell.exe	40
PID 2184 wrote to memory of 324	2184	powershell.exe	40
PID 2184 wrote to memory of 324	2184	powershell.exe	40
PID 2420 wrote to memory of 3024	2420	WScript.exe	41
PID 2420 wrote to memory of 3024	2420	WScript.exe	41
PID 2420 wrote to memory of 3024	2420	WScript.exe	41
PID 3024 wrote to memory of 3000	3024	powershell.exe	43
PID 3024 wrote to memory of 3000	3024	powershell.exe	43
PID 3024 wrote to memory of 3000	3024	powershell.exe	43
PID 2420 wrote to memory of 2480	2420	WScript.exe	44
PID 2420 wrote to memory of 2480	2420	WScript.exe	44
PID 2420 wrote to memory of 2480	2420	WScript.exe	44
PID 2480 wrote to memory of 1752	2480	powershell.exe	46
PID 2480 wrote to memory of 1752	2480	powershell.exe	46
PID 2480 wrote to memory of 1752	2480	powershell.exe	46
PID 2420 wrote to memory of 784	2420	WScript.exe	47
PID 2420 wrote to memory of 784	2420	WScript.exe	47
PID 2420 wrote to memory of 784	2420	WScript.exe	47
PID 784 wrote to memory of 1508	784	powershell.exe	49
PID 784 wrote to memory of 1508	784	powershell.exe	49
PID 784 wrote to memory of 1508	784	powershell.exe	49
PID 2420 wrote to memory of 1572	2420	WScript.exe	50
PID 2420 wrote to memory of 1572	2420	WScript.exe	50
PID 2420 wrote to memory of 1572	2420	WScript.exe	50
PID 1572 wrote to memory of 2092	1572	powershell.exe	52
PID 1572 wrote to memory of 2092	1572	powershell.exe	52
PID 1572 wrote to memory of 2092	1572	powershell.exe	52
PID 2420 wrote to memory of 1588	2420	WScript.exe	53
PID 2420 wrote to memory of 1588	2420	WScript.exe	53
PID 2420 wrote to memory of 1588	2420	WScript.exe	53
PID 1588 wrote to memory of 2416	1588	powershell.exe	55
PID 1588 wrote to memory of 2416	1588	powershell.exe	55
PID 1588 wrote to memory of 2416	1588	powershell.exe	55
PID 2420 wrote to memory of 2896	2420	WScript.exe	56
PID 2420 wrote to memory of 2896	2420	WScript.exe	56
PID 2420 wrote to memory of 2896	2420	WScript.exe	56
PID 2896 wrote to memory of 2384	2896	powershell.exe	58
PID 2896 wrote to memory of 2384	2896	powershell.exe	58
PID 2896 wrote to memory of 2384	2896	powershell.exe	58
PID 2420 wrote to memory of 1800	2420	WScript.exe	59
PID 2420 wrote to memory of 1800	2420	WScript.exe	59
PID 2420 wrote to memory of 1800	2420	WScript.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ece18c6e4b98ce3ed6321e2f59159b8401f6797347c7f947f19db53474b51eff.vbe"
1⤵
- Blocklisted process makes network request
PID:2228

C:\Windows\system32\taskeng.exe
taskeng.exe {FB6E12B7-C8B6-4EBE-AB23-28CE7B128E13} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\pxoPoGtbRQrOzlN.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2452" "1160"
      4⤵
      PID:1492
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2144" "1156"
      4⤵
      PID:1312
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2184" "1164"
      4⤵
      PID:324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3024" "1268"
      4⤵
      PID:3000
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2480" "1164"
      4⤵
      PID:1752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "784" "1156"
      4⤵
      PID:1508
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1572" "1164"
      4⤵
      PID:2092
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1588" "1152"
      4⤵
      PID:2416
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2896" "1280"
      4⤵
      PID:2384
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259465414.txt

Filesize
1KB

MD5
741b2fc97ca65ab10c28aac8bcafa273

SHA1
5ace931adea0be5605a9c7495e9d65061222d994

SHA256
805f08b058a2c0faae65f40af29c89d3e8e3b7f311f53f192ca7aa2d9d3bd718

SHA512
a300f3f5824d40d7352f7a162aa5589ebe7f2e8fc5ee9ffcfb1f0c85fd56aed7428ae46b62a508e0efc66530e485dd501dd0b33b08a2c019a23b3be0c64933c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259488274.txt

Filesize
1KB

MD5
e20e75bc2fefa78537d4b1cb7b7605fb

SHA1
766e42eb37796eb549f07c823436c50806e95808

SHA256
eff23cb11adf74695393b8608418db2136071a044b48d846e2fbfd60292aa413

SHA512
ca1be154c5f873a9dd40ee2165f6fe25e8e9fbdd84ed14456639949c4c199b09a30ee88887a42765c6a076fc8ed708e0257f1ac5011ed08b67e7c9f5bbb6ba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259500986.txt

Filesize
1KB

MD5
cf6974f31c5a469283893294bc5d3bfa

SHA1
370be064d2b8319bd8aecc5b08beacfce07ea1d4

SHA256
866795c42ac8197ef11f96e647131754be84b047df2bca6f5e38ea9ac66ddb9c

SHA512
19b0512d23ea69fb97aedd36d4c9d76125060f8eb0071936fc4b594f2a2713a51f385fd7e50be03aa49c41e5a778a820014ca7e305ec2194f50d0ccdaf6edb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259512354.txt

Filesize
1KB

MD5
9b3c32973d0995122cec12f705458456

SHA1
2b4856205f54210f643e850da754168ade20b026

SHA256
b36ab6d49a3337828c0156371f2238cbaa7d225aeb32ea7221096b2952da8868

SHA512
141d940aa113a961f488bea5b95619d9e27fd6171f51a962bd3252bca7ca09a2e45f8223de7a836bd60c9e2e3b2d5c6d264eab2d69633b25d955a91e0e4e7671

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259527842.txt

Filesize
1KB

MD5
c5dd8125ce9f172600348142e560be27

SHA1
b7d012d055ea9b7e48fcc21daaa7026151cdce41

SHA256
37054533855198a959860e58d7abd4c393c7d574f85bd3afd9e5acbde765d588

SHA512
0124172e30b2c5d75cc15ca662fd8b4cd53ff545a90cf9d5fd01d2d32c92a19fa7aa89b79980417702900324d48fe4511b05889f53a440359f480e26bfb255b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259542722.txt

Filesize
1KB

MD5
c601b326a8b1632cd95416adaca9ad91

SHA1
ac2e0436092a88bf95243dac1f2cebb4c1e8259f

SHA256
bd75219ab1edf3a394800d06afc4bcd41e5bc346a4ae394f4a7ad3d22cddbbf2

SHA512
f7b74cccdad63107e5ed11c7645888f23011fc3eb4f70db7888123306d7bc8a737db63ac26eb5a865424ae186bf5f402ab5fe849f648ef5ab9281df3a8092635

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559638.txt

Filesize
1KB

MD5
7846e62d94f938c36e51aa20b2db3b69

SHA1
4c09c8dc99fa5627683d36069616ce4d13c90dd6

SHA256
c6daa77c5ddd18e62d9bbcbbbd0c3aad6da8f8cad94e56708c16b1e84836cfdd

SHA512
c28977118bf0b55c5415e3730018d0cdb616d44a443fe1173e415c5431ddd78ae02c251dc640ad4cc92ac9e204c448cf435bde3fb49bccb24550a38df57d3a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259572102.txt

Filesize
1KB

MD5
26f9e21cd4582237409cea73a789df58

SHA1
b74aded7071a941cb0c0c0aed3438e200571ef41

SHA256
cfbcb2a0dc4d672661c380412b5a99a7ebafc6eebe0945dea7bf0f6537f24d92

SHA512
95b8071d71062e63991544c016aec0c58c60076a555355bba272c6c6873d2ac6892be5e97261e6c921a1c4f994daccabf7a800b7e8274de3031c64cb4fd2a8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584802.txt

Filesize
1KB

MD5
b6d13aba7ff86a2a14218672c1d32d5d

SHA1
a19bbef92dea1be641444202b67fb19d3b51bf8f

SHA256
9b8724d98149ed9dc4305295b93f509261dd0aca8212179ba82e2bec82e44e14

SHA512
af1fa14e86ae032e5decab6fdae83efd437d383dd347446327f0c58d731fff84bc8fa875b99c0270fb96279bca96bb448babe8e7de3ba6fc5907f3830de00220

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
16ff58a8b18e7be6ae324879caca167e

SHA1
00abcc31597da50f48a557431d60fc460a4b77fa

SHA256
4960efac80336dfd5425fbcbc11d4ca6f29d6c65cf3530956770ae88897d3404

SHA512
9d30f019cf7531e97e816e3b3ff6d83c9a7cc4b0c042253637bb68376f088691596ef960d7f52e19732fbf77873a695247fcf97a4c577233120a91c382b87acd

Download Submit
C:\Users\Admin\AppData\Roaming\pxoPoGtbRQrOzlN.vbs

Filesize
2KB

MD5
1edd37d76538b8617079b6a8c91d9830

SHA1
d2605bfb3a9fb3a70890c03d72be3ea2922ee704

SHA256
818e502dd2926a30589310af5213f123578b97498713d890be93500eeef43979

SHA512
5547cba012fdf060964fb1149ee93ff34c462ba210b810db4e383a9e5916732ca6e95caaa578b052053d45f885b6ccb0b0623da6ee45863105368a3fa1344098

Download Submit
memory/2144-18-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2144-19-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2452-9-0x0000000002BD0000-0x0000000002BDA000-memory.dmp

Filesize
40KB

Download
memory/2452-8-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/2452-7-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2452-6-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download