ca33bd5e2218c80c2d4f17bfc53f3b187541f519e459e01e1d013862c7dcd4bb

Analysis

max time kernel
142s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PackingListU0190219xlsx.vbe
Size

14KB
MD5

48d02287f3c633ccf96c6f01acd5ca9f
SHA1

2ad6405243f648937727731608d638c495b2fe46
SHA256

e575a3ecc136ad114643bbd7beb2ffc3d5550fa66955bd2c8f4ef4394e11dc87
SHA512

4835bb0f03bfb204e3aba46957af08f02889f7b43c60017151eafc479ba47e6ab50f6caec9cbb07cce4a6a600e6f7c576068d300e65bf762d7cf3cc59673d3c7
SSDEEP

384:GA79Z5lXWUBFplgtfcQ///y+KAhxF2asn:Go5lXH9atx//N/TIn

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2484	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2852	powershell.exe
2852	powershell.exe
1716	powershell.exe
1716	powershell.exe
1696	powershell.exe
1696	powershell.exe
2624	powershell.exe
2624	powershell.exe
1088	powershell.exe
1088	powershell.exe
1588	powershell.exe
1588	powershell.exe
1752	powershell.exe
1752	powershell.exe
2276	powershell.exe
2276	powershell.exe
2708	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2744	2640	taskeng.exe	32
PID 2640 wrote to memory of 2744	2640	taskeng.exe	32
PID 2640 wrote to memory of 2744	2640	taskeng.exe	32
PID 2744 wrote to memory of 2852	2744	WScript.exe	34
PID 2744 wrote to memory of 2852	2744	WScript.exe	34
PID 2744 wrote to memory of 2852	2744	WScript.exe	34
PID 2852 wrote to memory of 2656	2852	powershell.exe	36
PID 2852 wrote to memory of 2656	2852	powershell.exe	36
PID 2852 wrote to memory of 2656	2852	powershell.exe	36
PID 2744 wrote to memory of 1716	2744	WScript.exe	37
PID 2744 wrote to memory of 1716	2744	WScript.exe	37
PID 2744 wrote to memory of 1716	2744	WScript.exe	37
PID 1716 wrote to memory of 2012	1716	powershell.exe	39
PID 1716 wrote to memory of 2012	1716	powershell.exe	39
PID 1716 wrote to memory of 2012	1716	powershell.exe	39
PID 2744 wrote to memory of 1696	2744	WScript.exe	40
PID 2744 wrote to memory of 1696	2744	WScript.exe	40
PID 2744 wrote to memory of 1696	2744	WScript.exe	40
PID 1696 wrote to memory of 2840	1696	powershell.exe	42
PID 1696 wrote to memory of 2840	1696	powershell.exe	42
PID 1696 wrote to memory of 2840	1696	powershell.exe	42
PID 2744 wrote to memory of 2624	2744	WScript.exe	43
PID 2744 wrote to memory of 2624	2744	WScript.exe	43
PID 2744 wrote to memory of 2624	2744	WScript.exe	43
PID 2624 wrote to memory of 1152	2624	powershell.exe	45
PID 2624 wrote to memory of 1152	2624	powershell.exe	45
PID 2624 wrote to memory of 1152	2624	powershell.exe	45
PID 2744 wrote to memory of 1088	2744	WScript.exe	46
PID 2744 wrote to memory of 1088	2744	WScript.exe	46
PID 2744 wrote to memory of 1088	2744	WScript.exe	46
PID 1088 wrote to memory of 1016	1088	powershell.exe	48
PID 1088 wrote to memory of 1016	1088	powershell.exe	48
PID 1088 wrote to memory of 1016	1088	powershell.exe	48
PID 2744 wrote to memory of 1588	2744	WScript.exe	50
PID 2744 wrote to memory of 1588	2744	WScript.exe	50
PID 2744 wrote to memory of 1588	2744	WScript.exe	50
PID 1588 wrote to memory of 688	1588	powershell.exe	52
PID 1588 wrote to memory of 688	1588	powershell.exe	52
PID 1588 wrote to memory of 688	1588	powershell.exe	52
PID 2744 wrote to memory of 1752	2744	WScript.exe	53
PID 2744 wrote to memory of 1752	2744	WScript.exe	53
PID 2744 wrote to memory of 1752	2744	WScript.exe	53
PID 1752 wrote to memory of 1608	1752	powershell.exe	55
PID 1752 wrote to memory of 1608	1752	powershell.exe	55
PID 1752 wrote to memory of 1608	1752	powershell.exe	55
PID 2744 wrote to memory of 2276	2744	WScript.exe	56
PID 2744 wrote to memory of 2276	2744	WScript.exe	56
PID 2744 wrote to memory of 2276	2744	WScript.exe	56
PID 2276 wrote to memory of 2476	2276	powershell.exe	58
PID 2276 wrote to memory of 2476	2276	powershell.exe	58
PID 2276 wrote to memory of 2476	2276	powershell.exe	58
PID 2744 wrote to memory of 2708	2744	WScript.exe	59
PID 2744 wrote to memory of 2708	2744	WScript.exe	59
PID 2744 wrote to memory of 2708	2744	WScript.exe	59
PID 2708 wrote to memory of 1508	2708	powershell.exe	61
PID 2708 wrote to memory of 1508	2708	powershell.exe	61
PID 2708 wrote to memory of 1508	2708	powershell.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PackingListU0190219xlsx.vbe"
1⤵
- Blocklisted process makes network request
PID:2484

C:\Windows\system32\taskeng.exe
taskeng.exe {00916F30-4179-494C-8736-BAA3B7D35D39} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\WEOhONLdSgJdcTV.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2852" "1236"
      4⤵
      PID:2656
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1716" "1244"
      4⤵
      PID:2012
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1696" "1248"
      4⤵
      PID:2840
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2624" "1232"
      4⤵
      PID:1152
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1088" "1240"
      4⤵
      PID:1016
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1588" "1240"
      4⤵
      PID:688
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1752" "1236"
      4⤵
      PID:1608
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2276" "1236"
      4⤵
      PID:2476
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2708" "1236"
      4⤵
      PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259469786.txt

Filesize
1KB

MD5
345a57eb616712a689dbf095ef929052

SHA1
dc5947dc6bc1d8abaa276cd98567df958477aa61

SHA256
958b02137e886f5b6aded54c05af27e0dadbee563c3eeff4e0a0e6469769bb4e

SHA512
d1491246fec6b0114d2be61931d8a487a89c045aa02dde2625462d6373f90d31b2382d9cf082db5839a6b1bc3107ddd09968b6c7d024dbffdcc517965e1b01a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259486294.txt

Filesize
1KB

MD5
ec90f3012f6b77b388e835dae8cb1ccb

SHA1
0285f66d041d8f03edc3cfac72985294fe3acfeb

SHA256
fab03fc2cee3d22e8223d0d42e27339c45de9b36d1bbd1cd8fca80ad294fbc32

SHA512
ea68e84a78b84b26a1d797af5918d7efbca6f10319516ee70c26295a10daf1e8223ceb82f543629eb30789da4d224453668430f089ca5b348aef0b956bdd003d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259503757.txt

Filesize
1KB

MD5
d0b8797f5c70a296f9bd04d03f37ac01

SHA1
46d2f8fd412d19e7e150c4f0ffb9830932e24186

SHA256
dd085b951779a29a438e9a33b83fa1dc58e38a3ad3a09b07e8d69caf0ceaed1f

SHA512
9b730ea137fdd532ca8f5f7efaf2afbc453834d4d27773fa1cad8672bd3aa0edfd4a9da4ace8173143b98256b4f97a94dd98fd4eb74fb1514807b27d843f571b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514524.txt

Filesize
1KB

MD5
f70524ca76c8fed8ef19c4a660735aa3

SHA1
5b0f14062e176be2bb7854294f1ab916aa74c8e6

SHA256
91534bea93dbc0eeeb7781a20baa812dea9f2353d155e8f2d073b72ed08bf17a

SHA512
869ac77ab5d0f59e222246b5b94f4379f3f37a7e2c4e5ac9827901fe4cd976e20c134c05a38aa9b7e878c887b02bc7ab3be1dcf7997ccac74c1ecb0e5d405c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259531176.txt

Filesize
1KB

MD5
af4b237a6aa5640e28bb8143f44f22d2

SHA1
38c0ee540f087c232c3834e10e601128b191c752

SHA256
2a70b1585588b52b7fec7fb773ce1b07fe3d0e4c48e8959a9e5ee00c31aaa35c

SHA512
2d951c4949fc14701c3fe7080edebb9c767a269b3d4c80a04e37235afcf623f15de0d1710717b7909b9687d918cfb486dd9a3d55d9ee2ed61846625fe4bf33a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259548865.txt

Filesize
1KB

MD5
eb461057532a026b1ffe0207c697655d

SHA1
86e90e2550a428496994d2077949148d333b5d8e

SHA256
1b9ef2dde61d5363b29e0d07342ba632b047159a185e8aca01fe5eb9660b386e

SHA512
242acf6959c5e8fe11ee04ed5fd071380fe7f935547b8eb44d1713cafde6cdd471f8b94aa22557f49776d8463287f3a8bc939f52fff11375e3d1ba920fb64c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259562893.txt

Filesize
1KB

MD5
039659b2cafe1402e834affca5826da7

SHA1
757849f56516cefa0f1a9a25e608218ef72bfcfe

SHA256
8b47e7f56fc5321c27582bf5bcc2fc97ced780e0c3da0e9c0a5a0171982adb29

SHA512
db2e7bb7820dc14891106d7194368a7f7977a31fd3a9a383a042d45fdf81bad426140dad3641c46d89718931f1a1d4d82180969a90ea4a3c27a4ccabee23ae73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259579244.txt

Filesize
1KB

MD5
0d64df7e06a490036906d1b3c595f3e5

SHA1
6e45faebe47a6be58e52cdef0fa1712724a0dd85

SHA256
9b12646cf17f53dfc5bd8414a722bf3cac97f9dc77691475bd4151456260cbf5

SHA512
67e12de169801302464d0b39fb77a021443f7b569bf9dc580ba75b216293170c516ce72b42963a37f6c4ae4e4c9fac37556b1087f49de291ef399abc5f10a2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259595960.txt

Filesize
1KB

MD5
f00852dd6a50b84eb9f5b1c83ce58dbb

SHA1
d684a0c335220fc488e6f4fdd51f057196c94757

SHA256
81ecff5d7c118f7707e6b14f3e9afd626c5dabe8983c8f4c5e6a8f02b292246d

SHA512
86e1fdaf1d045f65ecb080d9fd3d5a638ceff734ed569b80bcfa00d8336b1fde12be43b133a56ba69a7e8f2178369132a39eda41ec0e8ef55bd1466d7eb77db2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P196BEK1FBN2O5S1GPM4.temp

Filesize
7KB

MD5
e3760d566a626bfadec3433ff01f8ce1

SHA1
37d932984d134cc714deeb574835687e02388937

SHA256
07ee5db5a0a461786a68e1127bc20d2b3f8595089d84c46c9f3c51d7cf00c1a1

SHA512
ffdcbd6b7997d1eb69665b861cecced832337772f5ba292f914f5d2546d04ac58b2133fb2a0d3f042259de33999ea430b0f2bf8144eda60347cddc9fa23d9487

Download Submit
C:\Users\Admin\AppData\Roaming\WEOhONLdSgJdcTV.vbs

Filesize
2KB

MD5
39420007c03867df6c39fa89fd18df5c

SHA1
8e420eae009ec34c32eaa735b3785764a6f086ec

SHA256
f763a491d2417dd31f947cdc5fd92a18b8f3af533280b35da9e7ea38473ea4db

SHA512
be0de00a1f29e84e0c59870376be0c2664e0c2d22fe80cf7cf5a865f206341387de798e245e5fa4de4b7ebe1cd4517e89028de949b41208aaa49979f3ddf4a2a

Download Submit
memory/1716-17-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1716-16-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2852-7-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2852-6-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2852-8-0x0000000002D00000-0x0000000002D0A000-memory.dmp

Filesize
40KB

Download