af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7

Analysis

max time kernel
145s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REF DOCUMENTS.js
Size

30KB
MD5

86185d6d160eabe88692b9dbf3ff3e71
SHA1

66cf746399849a72487a7ce9f8dd652d982a72bd
SHA256

af448bd9c6a6315bfa00b0301e57545cffe8ed75d30fbd18fdbd4cec606283b7
SHA512

15da27ecca298442aded5ad4a5a45522880013e7f9906d386167b27ad9439d08ecafdfd6c3de638bc3719d46d89f45116cf560772db11d3aae420cfbf059bd3e
SSDEEP

768:OVWm9aFqK2YmaQ4Vg4vf4bQuvAsBvPquk6Q:Omkk6Q

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2196	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2604	powershell.exe
2604	powershell.exe
2992	powershell.exe
2992	powershell.exe
2120	powershell.exe
2120	powershell.exe
1780	powershell.exe
1780	powershell.exe
944	powershell.exe
944	powershell.exe
812	powershell.exe
812	powershell.exe
2160	powershell.exe
2160	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2196	2260	wscript.exe	30
PID 2260 wrote to memory of 2196	2260	wscript.exe	30
PID 2260 wrote to memory of 2196	2260	wscript.exe	30
PID 1568 wrote to memory of 2720	1568	taskeng.exe	33
PID 1568 wrote to memory of 2720	1568	taskeng.exe	33
PID 1568 wrote to memory of 2720	1568	taskeng.exe	33
PID 2720 wrote to memory of 2604	2720	WScript.exe	35
PID 2720 wrote to memory of 2604	2720	WScript.exe	35
PID 2720 wrote to memory of 2604	2720	WScript.exe	35
PID 2604 wrote to memory of 2504	2604	powershell.exe	37
PID 2604 wrote to memory of 2504	2604	powershell.exe	37
PID 2604 wrote to memory of 2504	2604	powershell.exe	37
PID 2720 wrote to memory of 2992	2720	WScript.exe	38
PID 2720 wrote to memory of 2992	2720	WScript.exe	38
PID 2720 wrote to memory of 2992	2720	WScript.exe	38
PID 2992 wrote to memory of 1260	2992	powershell.exe	40
PID 2992 wrote to memory of 1260	2992	powershell.exe	40
PID 2992 wrote to memory of 1260	2992	powershell.exe	40
PID 2720 wrote to memory of 2120	2720	WScript.exe	41
PID 2720 wrote to memory of 2120	2720	WScript.exe	41
PID 2720 wrote to memory of 2120	2720	WScript.exe	41
PID 2120 wrote to memory of 1840	2120	powershell.exe	43
PID 2120 wrote to memory of 1840	2120	powershell.exe	43
PID 2120 wrote to memory of 1840	2120	powershell.exe	43
PID 2720 wrote to memory of 1780	2720	WScript.exe	44
PID 2720 wrote to memory of 1780	2720	WScript.exe	44
PID 2720 wrote to memory of 1780	2720	WScript.exe	44
PID 1780 wrote to memory of 1872	1780	powershell.exe	46
PID 1780 wrote to memory of 1872	1780	powershell.exe	46
PID 1780 wrote to memory of 1872	1780	powershell.exe	46
PID 2720 wrote to memory of 944	2720	WScript.exe	47
PID 2720 wrote to memory of 944	2720	WScript.exe	47
PID 2720 wrote to memory of 944	2720	WScript.exe	47
PID 944 wrote to memory of 316	944	powershell.exe	49
PID 944 wrote to memory of 316	944	powershell.exe	49
PID 944 wrote to memory of 316	944	powershell.exe	49
PID 2720 wrote to memory of 812	2720	WScript.exe	50
PID 2720 wrote to memory of 812	2720	WScript.exe	50
PID 2720 wrote to memory of 812	2720	WScript.exe	50
PID 812 wrote to memory of 2276	812	powershell.exe	52
PID 812 wrote to memory of 2276	812	powershell.exe	52
PID 812 wrote to memory of 2276	812	powershell.exe	52
PID 2720 wrote to memory of 2160	2720	WScript.exe	53
PID 2720 wrote to memory of 2160	2720	WScript.exe	53
PID 2720 wrote to memory of 2160	2720	WScript.exe	53
PID 2160 wrote to memory of 2832	2160	powershell.exe	55
PID 2160 wrote to memory of 2832	2160	powershell.exe	55
PID 2160 wrote to memory of 2832	2160	powershell.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\REF DOCUMENTS.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\restored.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:2196

C:\Windows\system32\taskeng.exe
taskeng.exe {6AABAF2D-9C6A-4E75-9AE0-8D1A9ED24F18} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\lwRdEznrBuqLMiX.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2604" "1248"
      4⤵
      PID:2504
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2992" "1248"
      4⤵
      PID:1260
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2120" "1248"
      4⤵
      PID:1840
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1780" "1236"
      4⤵
      PID:1872
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "944" "1236"
      4⤵
      PID:316
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "812" "1244"
      4⤵
      PID:2276
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2160" "1252"
      4⤵
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\restored.vbe

Filesize
14KB

MD5
a51620220423d15df9de991aa0b10742

SHA1
5c571d6a3e025ee9ab6eff03c7064ecc37fff450

SHA256
ff2ab43a5ebbea267159e3cfce4ecdf829d050d92ffdcb34097afc12699d6501

SHA512
1d392a7f9ca92a42819b891a01fdcd4d19b3f93ddc025efa20d421b65bcfaf8452d01f0f25994befd35ec61b9e4c27ddadb8c7b07866dcc7cbcfc1ee766df5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259497167.txt

Filesize
1KB

MD5
863b231ab458e9beb68e769f41b5d45d

SHA1
224d938231be8ea5372be39f99790a8c39728a09

SHA256
cd8bf66623ef5cf6f8df7f21f645cc1dbf1215cb7b38e8ee361bb97c08553fe9

SHA512
997dedbeb0808e96fbdb2896717216e93b46a56b18d35ff1b70dadc54ad519b3c825691cc9f6d6369c0545f243ef971d552122f1753d6683e48f4f5408b2caa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259513190.txt

Filesize
1KB

MD5
25dc67a542b5ff14ba0f83c7a047754e

SHA1
5cc0252013512e3c6b7637984fd91d0888443d8a

SHA256
3720eaa4b8904be9f9528394b43202f1bd8135b0802a9c35bfd52b91cb60e188

SHA512
6d7100026088804e5fffddb3487594d5349372c65659d05bc54102d197f89d7b491ce092cdc618263b8d7aed2e76ae60b54b6da7d53aff3db2dfc693a5bc08c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523514.txt

Filesize
1KB

MD5
18d319aee5e21f8ba5ee87df2069101d

SHA1
73843ff459e82c067b7e66485acfbd95ebc0febe

SHA256
6edd14868b0a989de13084cd2b41595e535d351ddc9b13edcb19fda331630021

SHA512
7097e073b1a697545e861836cc6ab47c9d663c02883768433a6f5322f6d4150d6ee356f0619e0b2d5396ba9be30ab2a07ebd1acd5848b610261ae06bc1832ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259539136.txt

Filesize
1KB

MD5
b960c4c73bd8f53c9e4d11aaab092075

SHA1
260b4041f84f7da43d012dc3e5d0a0af84a09f7e

SHA256
c2dced3d68e920271c5ec79499d458e86c2d69bde054417c05a92a278223dd31

SHA512
9f761d1bcde8ca0a37bb008d2f1707a3cc476dde42a8b0b77d8431b112221a069329401ba7f31f23f556ca1e82f484226df53e239a20303dd723c1b3604533dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259555903.txt

Filesize
1KB

MD5
6a6df10fdcda4f0eda36775dd125f639

SHA1
d2dce8bc71d9973c8441b6a174eb86ca5fde481a

SHA256
e4179512bd85d704ea29eeaaec7ece87d17f8883f01f73b8b4aaab258efa21a0

SHA512
e82962186dceb2025480fe7654a7b76a00a13938a8896a7dbcfd13e7dc857f78ff84dd2ea42515ca94fb4a619341bdad22752d18d510bc24691e8937268c02a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259571455.txt

Filesize
1KB

MD5
83e35a4806629600c42e1d6989ecf1fb

SHA1
0cfd3898a3cea1f44b9b515679690302137a442d

SHA256
4e556b83109d0e4e5a861e7299067624bc72c2f5267bb9d9afaf0bd754a60ed2

SHA512
0b65269c21f37812e054a0456d0034e0f1896523999950effc08249640e6b75052f82eb4a03ae8e43db775fcd0a88942c38aa5f337e5eb047bef16fc547173a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584002.txt

Filesize
1KB

MD5
1279726f40b27d20b2707b0f9858d1f3

SHA1
9eaf2c5dde902cd2c720e6ce7b4aa059c2a6062f

SHA256
a0212a796af43946ba259f9401bbbe36da21b6b71e4fc67def2a3fe8b78f177a

SHA512
177628931f16869e77c9465c07d8309d1f32135b3103ed737cd1819efcbffeffaa856f7a8e1f1016c69ffa7f6a71aee898e2c00a98fc4cd2d0691066a92ddcaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a72cfe58fe6e4b79c75acb48a534f5e1

SHA1
f9b592885d17e4b80ed3387da6fc4caec40a3bd6

SHA256
9f0f39f37e7b89aea3fc2d96bbd06dd50df98308d63f8191d5ddc2b0cdc27f83

SHA512
5e50ee3ccbe8c39907551fdf764fdea7cab29f6c062a3544dc330ca9db9ea2ba0b264c6a2dc1eec27c5e9cb0144e5d27209c0f58360708d1c922d744b0c730ba

Download Submit
C:\Users\Admin\AppData\Roaming\lwRdEznrBuqLMiX.vbs

Filesize
2KB

MD5
2f1ec696b66433614ccd5ab314649206

SHA1
dace4eeba067b5446d5b149d7b0c3cfd7abb0359

SHA256
3d64a72c07ea79fbeaefc7ec6e12b755d9ce55815e60cb872ca8d94a47e977e7

SHA512
fe3b70a5e31b77221fa0ab6501909a07260c912735d93991c4812c5b70806b78ac689a6628b4b045b83db6870dcab1a6e0cdb57dc5bf514c9e2a3608873d9ff7

Download Submit
memory/2604-11-0x0000000002A90000-0x0000000002A9A000-memory.dmp

Filesize
40KB

Download
memory/2604-10-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2604-9-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2992-20-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2992-19-0x000000001B930000-0x000000001BC12000-memory.dmp

Filesize
2.9MB

Download