462a96c1ba1050085eeb4e15753a8d9b29fc88b2289c996fb937c4390be3a393

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5.vbe
Size

10KB
MD5

9c14957ca39752cb13dc22d7dd0e53c5
SHA1

7db0b08452db448b7a022fad47e0aaad42452086
SHA256

462a96c1ba1050085eeb4e15753a8d9b29fc88b2289c996fb937c4390be3a393
SHA512

36c66dfc4b48bbed8c04bfda1bb8414fae6af3199b77ce58e80334e9c12fdb7ab8d3134bd4e8c473d0367555860e989f9e77d4973f6e4636f28d5b350f18113e
SSDEEP

192:xVNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5C8YleLMl/1uw5YOAxJSHtK:DNElLAAKjBLf1UWobMrlwMl/mAHU

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2036	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2740	powershell.exe
2740	powershell.exe
2976	powershell.exe
2976	powershell.exe
308	powershell.exe
308	powershell.exe
2112	powershell.exe
2112	powershell.exe
1940	powershell.exe
1940	powershell.exe
692	powershell.exe
692	powershell.exe
1844	powershell.exe
1844	powershell.exe
2144	powershell.exe
2144	powershell.exe
1992	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2676	2896	taskeng.exe	32
PID 2896 wrote to memory of 2676	2896	taskeng.exe	32
PID 2896 wrote to memory of 2676	2896	taskeng.exe	32
PID 2676 wrote to memory of 2740	2676	WScript.exe	34
PID 2676 wrote to memory of 2740	2676	WScript.exe	34
PID 2676 wrote to memory of 2740	2676	WScript.exe	34
PID 2740 wrote to memory of 2100	2740	powershell.exe	36
PID 2740 wrote to memory of 2100	2740	powershell.exe	36
PID 2740 wrote to memory of 2100	2740	powershell.exe	36
PID 2676 wrote to memory of 2976	2676	WScript.exe	37
PID 2676 wrote to memory of 2976	2676	WScript.exe	37
PID 2676 wrote to memory of 2976	2676	WScript.exe	37
PID 2976 wrote to memory of 1316	2976	powershell.exe	39
PID 2976 wrote to memory of 1316	2976	powershell.exe	39
PID 2976 wrote to memory of 1316	2976	powershell.exe	39
PID 2676 wrote to memory of 308	2676	WScript.exe	40
PID 2676 wrote to memory of 308	2676	WScript.exe	40
PID 2676 wrote to memory of 308	2676	WScript.exe	40
PID 308 wrote to memory of 832	308	powershell.exe	42
PID 308 wrote to memory of 832	308	powershell.exe	42
PID 308 wrote to memory of 832	308	powershell.exe	42
PID 2676 wrote to memory of 2112	2676	WScript.exe	43
PID 2676 wrote to memory of 2112	2676	WScript.exe	43
PID 2676 wrote to memory of 2112	2676	WScript.exe	43
PID 2112 wrote to memory of 2748	2112	powershell.exe	45
PID 2112 wrote to memory of 2748	2112	powershell.exe	45
PID 2112 wrote to memory of 2748	2112	powershell.exe	45
PID 2676 wrote to memory of 1940	2676	WScript.exe	46
PID 2676 wrote to memory of 1940	2676	WScript.exe	46
PID 2676 wrote to memory of 1940	2676	WScript.exe	46
PID 1940 wrote to memory of 1996	1940	powershell.exe	48
PID 1940 wrote to memory of 1996	1940	powershell.exe	48
PID 1940 wrote to memory of 1996	1940	powershell.exe	48
PID 2676 wrote to memory of 692	2676	WScript.exe	49
PID 2676 wrote to memory of 692	2676	WScript.exe	49
PID 2676 wrote to memory of 692	2676	WScript.exe	49
PID 692 wrote to memory of 772	692	powershell.exe	51
PID 692 wrote to memory of 772	692	powershell.exe	51
PID 692 wrote to memory of 772	692	powershell.exe	51
PID 2676 wrote to memory of 1844	2676	WScript.exe	52
PID 2676 wrote to memory of 1844	2676	WScript.exe	52
PID 2676 wrote to memory of 1844	2676	WScript.exe	52
PID 1844 wrote to memory of 2228	1844	powershell.exe	54
PID 1844 wrote to memory of 2228	1844	powershell.exe	54
PID 1844 wrote to memory of 2228	1844	powershell.exe	54
PID 2676 wrote to memory of 2144	2676	WScript.exe	55
PID 2676 wrote to memory of 2144	2676	WScript.exe	55
PID 2676 wrote to memory of 2144	2676	WScript.exe	55
PID 2144 wrote to memory of 2468	2144	powershell.exe	57
PID 2144 wrote to memory of 2468	2144	powershell.exe	57
PID 2144 wrote to memory of 2468	2144	powershell.exe	57
PID 2676 wrote to memory of 1992	2676	WScript.exe	58
PID 2676 wrote to memory of 1992	2676	WScript.exe	58
PID 2676 wrote to memory of 1992	2676	WScript.exe	58
PID 1992 wrote to memory of 1036	1992	powershell.exe	60
PID 1992 wrote to memory of 1036	1992	powershell.exe	60
PID 1992 wrote to memory of 1036	1992	powershell.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5.vbe"
1⤵
- Blocklisted process makes network request
PID:2036

C:\Windows\system32\taskeng.exe
taskeng.exe {514549D3-0899-4AB8-951F-BB1FD9B89772} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\zanFaVXLBdzhSkd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2740" "1240"
      4⤵
      PID:2100
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2976" "1244"
      4⤵
      PID:1316
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "308" "1244"
      4⤵
      PID:832
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2112" "1248"
      4⤵
      PID:2748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1940" "1240"
      4⤵
      PID:1996
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "692" "1240"
      4⤵
      PID:772
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1844" "1240"
      4⤵
      PID:2228
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2144" "1240"
      4⤵
      PID:2468
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1992" "1236"
      4⤵
      PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259477158.txt

Filesize
1KB

MD5
a679d36801f86f9f52b263de1504308c

SHA1
3bdd2d5649c1c62719d531a3417571475bfa7d5c

SHA256
7dae114fbe86bc9e7678b7e9c476321bd0882df3d827e99ea6a50b9314ab0764

SHA512
7eb0dbd8d7c06833666864844f9f9cd356a493673f137ca94d1677f5e225863183e7b895cfa15212894d56045022407b3593f082e6edba2997f34b79fb6adea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259487434.txt

Filesize
1KB

MD5
c0985116de54bfd1f2e4469d635b8b30

SHA1
dad14060c31ddc079058921618002dc2e7e2a74f

SHA256
7b6f8260b76a93c7741b91482cfb573f6f45a10f1ef6ed4cbbf2e96e9ed406c2

SHA512
05a48f5c52d03858c7eb6a1ee37801f6a91546801a8b8745d23b4f953188048bcf7001fed0c96cab1d72f01fd7423012599d3d5b1e85c0bc254b8fc5bc3070a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259503721.txt

Filesize
1KB

MD5
b85a42b36ab47886ca4a98301d59019e

SHA1
9102d937ecea2df4a088f04cb5a89001ad6ada03

SHA256
59a729777b20393cc1194ab2a6925326f30024880fd355fcbedade6cd9c6865d

SHA512
8bd06a544deea4c92d68db9d843e7993795602a92d9b95087c5e8346fd1befee42fb037cee4161e57c52748f95842dff8f67e90cd7e7bdcd5edce293f5aaa1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259521256.txt

Filesize
1KB

MD5
a9245f0bf04f84ac3d7f46f3ba4a44e4

SHA1
554769d7821e349edc82d6e1ffeb2e1dda9d96e1

SHA256
9f0adb85d5e3521bf8edb35a8b1f5fdace55d750630a969f296f35fdb382d3f6

SHA512
b71756f5c46aa54cccea583272e55ef5ccbba09765ca983442639a04195774015ab0e5ddec9f4775325ae6a7c96a63316682a0114b28db074d240b22630d90a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259533345.txt

Filesize
1KB

MD5
6046f2b94e336014a232620d36e54ee2

SHA1
f4ea4adde5582e66168e1a13885db8766e7e3b4e

SHA256
76ff88b16d2c925e3707457703434ac06e220c63fb0535fdae332ab9719daacc

SHA512
fe51c8f94931ef4ba152915e67e8d9bc7af88eb297d8888a62e1451d2e08586482eefe94e79e0d523f097fe721cda4d68b382d288f55f65b4d9ab058c605e888

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259549718.txt

Filesize
1KB

MD5
50926d5aeb61f679cc4372ef989aebdc

SHA1
4f3b339b7cf9bbe966ccd2f4591038a4432bb989

SHA256
01ef4a1411076c26b1ab97a928ae536bf4b3a3d37bad42e70b89b13978e66ead

SHA512
96b7d95018f5ca45f4ae8aef14856498db3ff95b59d15b125a479247e2a2d4b355a50d435389eeae603ea5ebc785809f859f63717a3f534c2061fa9dc7e9a4bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259564661.txt

Filesize
1KB

MD5
aa1c77d21b8e44c0b3ebb262bb968dc6

SHA1
8c486870bf82b947bbe5429f3c5aabafaded7825

SHA256
0ff8049b246849e802fa8eabea69b40eb06c1cb8d82e77e84fa0a4740fcede4e

SHA512
f52afeb842e3ef0861757eae055ded8952e541e647202679b5e25539e2c78635efe59ba71924d4039d684744aa0080249053d098f6b1f60445761e9f7bfb84f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259595841.txt

Filesize
1KB

MD5
a72a0bebdb70169cb68933682d14c014

SHA1
0e9619df6ce15b63f4d9d3d1d8eb8b4468b8f2f1

SHA256
9f0bf7ebea02d843b33b5500b7878a3e47d04ea190f05d7470fccbbd16665a6e

SHA512
a832325ae1c0190e7af90bc41db5408e07d926a087b1c4ceb7d294f13273f430f1b34c2dda0dd06c26dd64897bbb8836a7ec5df119964e9d7e51b805ca24f6e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b75178f6895b7d3b05075efc5c80b94b

SHA1
bf132bebcf526966d7ad6cf20998d2844e4b8a5d

SHA256
1092e4e58f668285882be4b336f899e4d8aec5e2450c0b485af81d8ad7fc132a

SHA512
04992e8d6cd4e8e7c40e9fd21671b3e6becd423a533f06b9ce66af7d44694546ca8201a633c88f9c4fdfecbd917347d3da2ccefb3d0740f6c6fceb94288cd554

Download Submit
C:\Users\Admin\AppData\Roaming\zanFaVXLBdzhSkd.vbs

Filesize
2KB

MD5
072196eaac1237e49891f84745b065fd

SHA1
97693ca12473e9db3ddafa988d91bc6b8da3842e

SHA256
6384e6f6e981dd89f039bfd8f007647a5bee11dc36973cb4482224f7f6948987

SHA512
0bc20439ab3cf5d5ceabec4d6682a394120ce19b31fa302218527f846aa2842be928c77c090d7c196c1df39aa0db710f61482aaff8384e193cb61cd60c8776c5

Download Submit
memory/2740-6-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2740-7-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2740-8-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/2976-16-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2976-17-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download