6fe77172dbce4d78e999a1bc82050831700ec79f845ea72d75c9553fc59018c0

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fe77172dbce4d78e999a1bc82050831700ec79f845ea72d75c9553fc59018c0.vbe
Size

11KB
MD5

0c5d6577dcfd6c4c66ede19648596367
SHA1

7249beb634652ce5d28e2cde8dcf5f2b70e8efa7
SHA256

6fe77172dbce4d78e999a1bc82050831700ec79f845ea72d75c9553fc59018c0
SHA512

4ada397cee7c2cdd6da919036877de9fd682ac88cf848cb708e9b043866bf0b1ef7bc5b82cda836a7fb015e8891efb55f922d60f3ad89fcf245464a007ee0125
SSDEEP

192:d81IYjLXBasxp+Srh/vA0XsBDBvbpXfprmufjqd/jznUc7gOVdvsvzeNlek5MCW3:+1IYjLXHxp19/5WFvbBprmuLqdLzxJVE

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2480	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2560	powershell.exe
2560	powershell.exe
2044	powershell.exe
2044	powershell.exe
2128	powershell.exe
2128	powershell.exe
2936	powershell.exe
2936	powershell.exe
888	powershell.exe
888	powershell.exe
2232	powershell.exe
2232	powershell.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2580	2212	taskeng.exe	32
PID 2212 wrote to memory of 2580	2212	taskeng.exe	32
PID 2212 wrote to memory of 2580	2212	taskeng.exe	32
PID 2580 wrote to memory of 2560	2580	WScript.exe	34
PID 2580 wrote to memory of 2560	2580	WScript.exe	34
PID 2580 wrote to memory of 2560	2580	WScript.exe	34
PID 2560 wrote to memory of 1732	2560	powershell.exe	36
PID 2560 wrote to memory of 1732	2560	powershell.exe	36
PID 2560 wrote to memory of 1732	2560	powershell.exe	36
PID 2580 wrote to memory of 2044	2580	WScript.exe	37
PID 2580 wrote to memory of 2044	2580	WScript.exe	37
PID 2580 wrote to memory of 2044	2580	WScript.exe	37
PID 2044 wrote to memory of 2360	2044	powershell.exe	39
PID 2044 wrote to memory of 2360	2044	powershell.exe	39
PID 2044 wrote to memory of 2360	2044	powershell.exe	39
PID 2580 wrote to memory of 2128	2580	WScript.exe	40
PID 2580 wrote to memory of 2128	2580	WScript.exe	40
PID 2580 wrote to memory of 2128	2580	WScript.exe	40
PID 2128 wrote to memory of 1788	2128	powershell.exe	42
PID 2128 wrote to memory of 1788	2128	powershell.exe	42
PID 2128 wrote to memory of 1788	2128	powershell.exe	42
PID 2580 wrote to memory of 2936	2580	WScript.exe	43
PID 2580 wrote to memory of 2936	2580	WScript.exe	43
PID 2580 wrote to memory of 2936	2580	WScript.exe	43
PID 2936 wrote to memory of 1444	2936	powershell.exe	45
PID 2936 wrote to memory of 1444	2936	powershell.exe	45
PID 2936 wrote to memory of 1444	2936	powershell.exe	45
PID 2580 wrote to memory of 888	2580	WScript.exe	46
PID 2580 wrote to memory of 888	2580	WScript.exe	46
PID 2580 wrote to memory of 888	2580	WScript.exe	46
PID 888 wrote to memory of 788	888	powershell.exe	48
PID 888 wrote to memory of 788	888	powershell.exe	48
PID 888 wrote to memory of 788	888	powershell.exe	48
PID 2580 wrote to memory of 2232	2580	WScript.exe	49
PID 2580 wrote to memory of 2232	2580	WScript.exe	49
PID 2580 wrote to memory of 2232	2580	WScript.exe	49
PID 2232 wrote to memory of 1756	2232	powershell.exe	51
PID 2232 wrote to memory of 1756	2232	powershell.exe	51
PID 2232 wrote to memory of 1756	2232	powershell.exe	51
PID 2580 wrote to memory of 1696	2580	WScript.exe	52
PID 2580 wrote to memory of 1696	2580	WScript.exe	52
PID 2580 wrote to memory of 1696	2580	WScript.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fe77172dbce4d78e999a1bc82050831700ec79f845ea72d75c9553fc59018c0.vbe"
1⤵
- Blocklisted process makes network request
PID:2480

C:\Windows\system32\taskeng.exe
taskeng.exe {3B64C6F0-C46D-45A0-B7B6-567CD3F70E60} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\XuoHtliEoNbaAEn.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2560" "1156"
      4⤵
      PID:1732
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2044" "1288"
      4⤵
      PID:2360
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2128" "1152"
      4⤵
      PID:1788
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2936" "1280"
      4⤵
      PID:1444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "888" "1152"
      4⤵
      PID:788
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2232" "1164"
      4⤵
      PID:1756
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509926.txt

Filesize
1KB

MD5
344a29e1e3dfaac85bccaa0646d6231f

SHA1
004bbfc17d26b60ed1c5fe1bc3ddf31bba27ad45

SHA256
d2aa13e039e9a40c0a9d4492ac0b36da39957083c2860a7ab14afd0c3ac21b18

SHA512
e9b31854e893c28955922d4b1a3f03fcc4c7d4b043f9212b8a054e6482947dc2ec0661f4c8197f0761f85c404fd9ea4446e1e403f14b17403d87f4ec4c97e9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259519147.txt

Filesize
1KB

MD5
637a7cf032bf25535bdebd7c4f9a9c21

SHA1
eac86c035ab3730c366aaa80f33983a073d77e83

SHA256
b9c0cdf5bccec4bc89d30ba0d051fd838f1ad8025f29735d67e58376ec960ef1

SHA512
0e980001ccbed609078d43e607675e39bf3064ec0e1c8caf255f7a371b544451741f563c64dc9922330b9459b0c30cfb2345d9291bad6a77f1c20e4041d1e89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259536598.txt

Filesize
1KB

MD5
9c4189083a56cf152ee58ef2f1c7403e

SHA1
2d8c024334e8bfd4e4726711e9144e0515c0411e

SHA256
126c256ae13298fcbeff1d62417b28509e7bceba1e145639974ce0f0fdfbddca

SHA512
2423cc213bb8cc5b28363f30ed31f7fbc21cd298c167ce6a63568d7c13cde62e4c2dbcb6cac19047e34d73171630cfbea005dda4dc608fd7facc1278b5b1a6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259548239.txt

Filesize
1KB

MD5
3864f2b74b138631bf5e5bdfccf4d8e5

SHA1
c6b8aafa2c3d322e16f1e8ed22d203f9aa8fec93

SHA256
dae36cca82d639ff47fb83695c9011b0e3613cfc18c3df30b75b32f4779cde92

SHA512
3324b4f483729189c46cf8ab6703efad3f4a06ce19cf66ce5be05d89601f3b0c406f64eba3cb5490918a47e762b74b26d2284d7fbfb275a94829b5ea4bc691dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570479.txt

Filesize
1KB

MD5
8651c55ef8d2b5ab10dfbd3ef11609da

SHA1
19119576de8dc0873b6a702bd5495ce7a9904e40

SHA256
d39237905b8d4bb6d821cc57bdeb432158adcd9c500cb6a3e168f3fdbebc6e7d

SHA512
be824d2ba19c9c4ba14cf52b90d5e0606f6f6da9f092892619e48cc37bc240dd49fd71fabfacaabc33a7091ee55dd4debcb43fcf48883dc4b5ddf9fd0c4154ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259580335.txt

Filesize
1KB

MD5
463fb945baff9d0854ed80db6f2f68e1

SHA1
ee0a3bd843f7b1b73d9fd8d876e8a713db8d37c8

SHA256
77844fd0e46299b07c9b02921040ce7b29fac337b6f9c0ff858bee9906110781

SHA512
7ba2d405d996259fc66e2bfe99de21a2df1c3cca8d1c2c995f5012af5711120043a3d8ec9b435710be805b58152e2b60a7f3bcc18c381432649e489996a2e6d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e66e5ea1f6fce54ab215622e7c32dcfc

SHA1
9df31962c9200ad40e8ea3a173a87a9897175b7c

SHA256
529728b5f239903271917ca2693ce7266d80c4ecfd4354eb956224a8e41b9f57

SHA512
285f3fad661d5c0bdff0018326e0584c7c31ddc94499fefc503dbedf2cbf6038fc3545cd9cd57438a9e4a4d1d0a18294c73f02b06eb0af13593f17940a33cce8

Download Submit
C:\Users\Admin\AppData\Roaming\XuoHtliEoNbaAEn.vbs

Filesize
2KB

MD5
914e940a27b247575b423c08c392b9fd

SHA1
5936877da28f8ea14c366ca92c27956794863b8a

SHA256
a31593070f02a059c9082fab3c10ca6854af279b06ce39c1dae8666a23a16582

SHA512
054fefb33baa0b1e91bdfdb34e91e91335426c6368d5d1dd7977813c84ce31fc69caab2621fdec6bb64fd630bdf755f2a33854799fc5e50c7ad7003db553f65d

Download Submit
memory/2044-17-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2044-18-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2560-9-0x0000000002B50000-0x0000000002B5A000-memory.dmp

Filesize
40KB

Download
memory/2560-8-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download
memory/2560-7-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2560-6-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download