eddebeaf37033efffcbecd52bcf529a006fc0cebbe3f347a83cec7854e7df4d0

Analysis

max time kernel
137s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref Cheque 705059.vbe
Size

10KB
MD5

90d3ad68895627841ba7ac18079fc0b1
SHA1

a00920b635b500f67983ab4bed25a38df9bd5549
SHA256

ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369
SHA512

8e3d459a1d11cadfc336c364918c97ecf0004418afb890bd3b36e9139d30bfe956266f2e87e29e2e5df46b01e94c1bc64b9964b3a556ad64f6a5b2a8afb493b6
SSDEEP

192:xXNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5FYleLMl/1uw5YOAxJhHFK:xNElLAAKjBLf1UWobElwMl/mHHs

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2512	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2740	powershell.exe
2740	powershell.exe
576	powershell.exe
576	powershell.exe
2132	powershell.exe
2132	powershell.exe
2248	powershell.exe
2248	powershell.exe
1660	powershell.exe
1660	powershell.exe
2588	powershell.exe
2588	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2976	2464	taskeng.exe	32
PID 2464 wrote to memory of 2976	2464	taskeng.exe	32
PID 2464 wrote to memory of 2976	2464	taskeng.exe	32
PID 2976 wrote to memory of 2740	2976	WScript.exe	34
PID 2976 wrote to memory of 2740	2976	WScript.exe	34
PID 2976 wrote to memory of 2740	2976	WScript.exe	34
PID 2740 wrote to memory of 1464	2740	powershell.exe	36
PID 2740 wrote to memory of 1464	2740	powershell.exe	36
PID 2740 wrote to memory of 1464	2740	powershell.exe	36
PID 2976 wrote to memory of 576	2976	WScript.exe	37
PID 2976 wrote to memory of 576	2976	WScript.exe	37
PID 2976 wrote to memory of 576	2976	WScript.exe	37
PID 576 wrote to memory of 3016	576	powershell.exe	39
PID 576 wrote to memory of 3016	576	powershell.exe	39
PID 576 wrote to memory of 3016	576	powershell.exe	39
PID 2976 wrote to memory of 2132	2976	WScript.exe	40
PID 2976 wrote to memory of 2132	2976	WScript.exe	40
PID 2976 wrote to memory of 2132	2976	WScript.exe	40
PID 2132 wrote to memory of 1888	2132	powershell.exe	42
PID 2132 wrote to memory of 1888	2132	powershell.exe	42
PID 2132 wrote to memory of 1888	2132	powershell.exe	42
PID 2976 wrote to memory of 2248	2976	WScript.exe	43
PID 2976 wrote to memory of 2248	2976	WScript.exe	43
PID 2976 wrote to memory of 2248	2976	WScript.exe	43
PID 2248 wrote to memory of 1604	2248	powershell.exe	45
PID 2248 wrote to memory of 1604	2248	powershell.exe	45
PID 2248 wrote to memory of 1604	2248	powershell.exe	45
PID 2976 wrote to memory of 1660	2976	WScript.exe	46
PID 2976 wrote to memory of 1660	2976	WScript.exe	46
PID 2976 wrote to memory of 1660	2976	WScript.exe	46
PID 1660 wrote to memory of 1468	1660	powershell.exe	48
PID 1660 wrote to memory of 1468	1660	powershell.exe	48
PID 1660 wrote to memory of 1468	1660	powershell.exe	48
PID 2976 wrote to memory of 2588	2976	WScript.exe	49
PID 2976 wrote to memory of 2588	2976	WScript.exe	49
PID 2976 wrote to memory of 2588	2976	WScript.exe	49
PID 2588 wrote to memory of 880	2588	powershell.exe	51
PID 2588 wrote to memory of 880	2588	powershell.exe	51
PID 2588 wrote to memory of 880	2588	powershell.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref Cheque 705059.vbe"
1⤵
- Blocklisted process makes network request
PID:2512

C:\Windows\system32\taskeng.exe
taskeng.exe {CDDD9572-3444-414A-8CB0-E289D57F6E14} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2740" "1236"
      4⤵
      PID:1464
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "576" "1244"
      4⤵
      PID:3016
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2132" "1240"
      4⤵
      PID:1888
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2248" "1252"
      4⤵
      PID:1604
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1660" "1240"
      4⤵
      PID:1468
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2588" "1248"
      4⤵
      PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259498316.txt

Filesize
1KB

MD5
1865279bcbd39ba7a1161b7e2ad84586

SHA1
97020162bdb6cba9473cbbda62bf0b85b71b332f

SHA256
b8bf2cab773507f2f2d8e8e22d7bcd175fbede3a98051960201d5ac3716fc386

SHA512
6929192439632b3d9ee3ddfd2e52a862f84cce10e9db1f2cc6a2c6a4083f96220ac1b61c8fa8d3cb7a4a2c73fccc5592d20aba5971384154d7eebc4600f337d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259516332.txt

Filesize
1KB

MD5
227faf20030ec0bffa6898576d6e6948

SHA1
6d7793b466e03c08305a537679ce4c8d0688c27e

SHA256
df59222de40f882920dea5a47036822c9825a873f53193fa09776e164d0b7f71

SHA512
9e1cb55be85a607bb9d8e2df9ac3000c2382c7251de5f57bbd0c25d2499eb8d4e1b292cd25e7deb86f952e9610895b91fe5dd0140fe825d1eb9913de8a656c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259533038.txt

Filesize
1KB

MD5
18c07e28d5b9f54a4838125a53cadfad

SHA1
f2d58c793c0db56860603a7f3953793ee7f4c041

SHA256
ccaf020e3cc50af50fb8393e9fb04e89a3a5777f8ed2f08770dd5eb19f4b5265

SHA512
f370e709bc830a4c633c7d34bbe20bd6af64171919b0bcd28b23fb1203d42b541842967f9a4cd2260be4835c1264f834091ba8e5c86a9bfb90ec6ece92ac55e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259544035.txt

Filesize
1KB

MD5
f5e5abf1c706d3d605112ac25eba8467

SHA1
ea177db84db07ef4fb14f7fb303bb4ce91930b91

SHA256
05d612613fbdb2fe67cf289ad80d52952ebacf26129df61449f3abed79ada6a7

SHA512
976901e091b0bdc731e9fd346dfbb268599c14ca8e60eb9b9c86e360479df3da83fe29849e405232b1d5ebbb03a0440e488778c7c6ee73bdb514e0980ecd6741

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559583.txt

Filesize
1KB

MD5
e322c66cf5fd118289a6b0aaf48e9404

SHA1
98160b689b7766f78cbb28556d23cc1a02f858ff

SHA256
668ed76c1c331f29b03568c98204e92012585990e4e9eece90c9ff44da26bf99

SHA512
d17f88a72baae828763d7a2e371341d929ec95bf6dd85ca31240cf7e80697bb2d82748017671235f8cffaff489ac3abeec324cc0ad4dc53ffdb269439726bc9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259577968.txt

Filesize
1KB

MD5
4829e2e91759a290358a635ff89e7d2f

SHA1
7df78732583bcb0e2c0e60546302ea2a8fc231e0

SHA256
d831072d523c75eaab1054741f810b8cc896347c8c260e6e656400909f8dd03e

SHA512
18d0eca9e61020849f7031d04d06fe1a1ad9eef6e438aa957de05b657f3f202ddde59e306636755a8bce0880f470742d3e7f2349d0c7a7fb555b2cbc6693e02b

Download Submit
C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs

Filesize
2KB

MD5
e26532ee5fd577e459897da6e2d1fd35

SHA1
fd22513992dd197796bdd70a15d0e91fedcc230c

SHA256
e5441fd6bf5a366d4144553a3caf44ed09d6fb7cb085de728579c556def1e329

SHA512
c44fe8cd1c9d0f3727d15a08cb288fec1593deecc2bee5bde9a00c7f8d241f014c0a539ae6c1c0c05e2243d81046855f62a19633f6b17d238303e475271055b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
44808f40aa16c48c341f16d8a71d324b

SHA1
ae796e4870e46fd7ff41a5f039e4e4c7470de543

SHA256
9cfa06123f651383d8bdb580dd59df7bfe320a46a7c021a49012a83c8c5e1bb9

SHA512
aa7c71df32a117789163a52de4565b745539fac22620f93e14a89f53310acfe62f3f8f4bac9afabae7cfe89d7053f2a74097dad0c6f5f9656061728047b3e530

Download Submit
memory/576-16-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/576-17-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2740-8-0x0000000002B60000-0x0000000002B6A000-memory.dmp

Filesize
40KB

Download
memory/2740-7-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2740-6-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download