462a96c1ba1050085eeb4e15753a8d9b29fc88b2289c996fb937c4390be3a393

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5.vbe
Size

10KB
MD5

9c14957ca39752cb13dc22d7dd0e53c5
SHA1

7db0b08452db448b7a022fad47e0aaad42452086
SHA256

462a96c1ba1050085eeb4e15753a8d9b29fc88b2289c996fb937c4390be3a393
SHA512

36c66dfc4b48bbed8c04bfda1bb8414fae6af3199b77ce58e80334e9c12fdb7ab8d3134bd4e8c473d0367555860e989f9e77d4973f6e4636f28d5b350f18113e
SSDEEP

192:xVNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5C8YleLMl/1uw5YOAxJSHtK:DNElLAAKjBLf1UWobMrlwMl/mAHU

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2948	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2232	powershell.exe
2232	powershell.exe
2520	powershell.exe
2520	powershell.exe
1644	powershell.exe
1644	powershell.exe
1244	powershell.exe
1244	powershell.exe
2812	powershell.exe
2812	powershell.exe
284	powershell.exe
284	powershell.exe
2076	powershell.exe
2076	powershell.exe
1704	powershell.exe
1704	powershell.exe
2668	powershell.exe
2668	powershell.exe
2556	powershell.exe
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	284	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2884	2344	taskeng.exe	31
PID 2344 wrote to memory of 2884	2344	taskeng.exe	31
PID 2344 wrote to memory of 2884	2344	taskeng.exe	31
PID 2884 wrote to memory of 2232	2884	WScript.exe	33
PID 2884 wrote to memory of 2232	2884	WScript.exe	33
PID 2884 wrote to memory of 2232	2884	WScript.exe	33
PID 2232 wrote to memory of 2636	2232	powershell.exe	35
PID 2232 wrote to memory of 2636	2232	powershell.exe	35
PID 2232 wrote to memory of 2636	2232	powershell.exe	35
PID 2884 wrote to memory of 2520	2884	WScript.exe	36
PID 2884 wrote to memory of 2520	2884	WScript.exe	36
PID 2884 wrote to memory of 2520	2884	WScript.exe	36
PID 2520 wrote to memory of 2560	2520	powershell.exe	38
PID 2520 wrote to memory of 2560	2520	powershell.exe	38
PID 2520 wrote to memory of 2560	2520	powershell.exe	38
PID 2884 wrote to memory of 1644	2884	WScript.exe	39
PID 2884 wrote to memory of 1644	2884	WScript.exe	39
PID 2884 wrote to memory of 1644	2884	WScript.exe	39
PID 1644 wrote to memory of 2300	1644	powershell.exe	41
PID 1644 wrote to memory of 2300	1644	powershell.exe	41
PID 1644 wrote to memory of 2300	1644	powershell.exe	41
PID 2884 wrote to memory of 1244	2884	WScript.exe	42
PID 2884 wrote to memory of 1244	2884	WScript.exe	42
PID 2884 wrote to memory of 1244	2884	WScript.exe	42
PID 1244 wrote to memory of 1752	1244	powershell.exe	44
PID 1244 wrote to memory of 1752	1244	powershell.exe	44
PID 1244 wrote to memory of 1752	1244	powershell.exe	44
PID 2884 wrote to memory of 2812	2884	WScript.exe	45
PID 2884 wrote to memory of 2812	2884	WScript.exe	45
PID 2884 wrote to memory of 2812	2884	WScript.exe	45
PID 2812 wrote to memory of 1128	2812	powershell.exe	47
PID 2812 wrote to memory of 1128	2812	powershell.exe	47
PID 2812 wrote to memory of 1128	2812	powershell.exe	47
PID 2884 wrote to memory of 284	2884	WScript.exe	48
PID 2884 wrote to memory of 284	2884	WScript.exe	48
PID 2884 wrote to memory of 284	2884	WScript.exe	48
PID 284 wrote to memory of 836	284	powershell.exe	50
PID 284 wrote to memory of 836	284	powershell.exe	50
PID 284 wrote to memory of 836	284	powershell.exe	50
PID 2884 wrote to memory of 2076	2884	WScript.exe	51
PID 2884 wrote to memory of 2076	2884	WScript.exe	51
PID 2884 wrote to memory of 2076	2884	WScript.exe	51
PID 2076 wrote to memory of 2168	2076	powershell.exe	53
PID 2076 wrote to memory of 2168	2076	powershell.exe	53
PID 2076 wrote to memory of 2168	2076	powershell.exe	53
PID 2884 wrote to memory of 1704	2884	WScript.exe	54
PID 2884 wrote to memory of 1704	2884	WScript.exe	54
PID 2884 wrote to memory of 1704	2884	WScript.exe	54
PID 1704 wrote to memory of 2880	1704	powershell.exe	56
PID 1704 wrote to memory of 2880	1704	powershell.exe	56
PID 1704 wrote to memory of 2880	1704	powershell.exe	56
PID 2884 wrote to memory of 2668	2884	WScript.exe	57
PID 2884 wrote to memory of 2668	2884	WScript.exe	57
PID 2884 wrote to memory of 2668	2884	WScript.exe	57
PID 2668 wrote to memory of 1572	2668	powershell.exe	59
PID 2668 wrote to memory of 1572	2668	powershell.exe	59
PID 2668 wrote to memory of 1572	2668	powershell.exe	59
PID 2884 wrote to memory of 2556	2884	WScript.exe	60
PID 2884 wrote to memory of 2556	2884	WScript.exe	60
PID 2884 wrote to memory of 2556	2884	WScript.exe	60
PID 2556 wrote to memory of 2032	2556	powershell.exe	62
PID 2556 wrote to memory of 2032	2556	powershell.exe	62
PID 2556 wrote to memory of 2032	2556	powershell.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5.vbe"
1⤵
- Blocklisted process makes network request
PID:2948

C:\Windows\system32\taskeng.exe
taskeng.exe {5BD1850F-3D06-4740-94E3-65FEA0AAA8E6} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\zanFaVXLBdzhSkd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2232" "1248"
      4⤵
      PID:2636
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2520" "1240"
      4⤵
      PID:2560
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1644" "1252"
      4⤵
      PID:2300
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1244" "1240"
      4⤵
      PID:1752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2812" "1240"
      4⤵
      PID:1128
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:284
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "284" "1240"
      4⤵
      PID:836
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2076" "1240"
      4⤵
      PID:2168
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1704" "1244"
      4⤵
      PID:2880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2668" "1252"
      4⤵
      PID:1572
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2556" "1240"
      4⤵
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259445206.txt

Filesize
1KB

MD5
32078a7e1101082c201b87d18ccba011

SHA1
d17d433a93a46444ce93a505b8725dabe8792179

SHA256
30150d8ffa823ae2c25af56eb73adbe72ade039183564e6dacc9bceca70cc965

SHA512
207519d8e0bf99545ef093fa164218631b7db9d547032efaac6d6c61e2152461cef0821bb2b990fe086d30ab6a253280c0fbbe7eb59ac9c6d0b17510051e6b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259464496.txt

Filesize
1KB

MD5
819dfb63481829d27a558db93a78b003

SHA1
c066e4f404b2c1718e648e1a21a0ab150063ca6a

SHA256
5eeace14f811c46adf4170dcc14a6ebf61752270e2a1b65a244ce2ac39bef185

SHA512
0784f22a2fba0bfb16ddd749c25a216ef65c83032d9bda3b333c8950645e9de434bf1ec1f7309440ae907c7c01e2f2bacc5ecf38aa097130e44840e28ee56103

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259475830.txt

Filesize
1KB

MD5
bf6e0b4e6fc5d2b8fd01813d89d7f670

SHA1
5236300fa29581c09254d0ed7ec61ae1db1dc09c

SHA256
9bf8e934def4d8cef8a4a7ec54c214d5d2f0fe46111ef4d930e1d01e1c1e4322

SHA512
41575e3135f7304e93c9455334bb5fe67b964fabb01a38b5f0b3ddc352e5ed26194a4e82c9b193e0e222e0f01a14a353042d2ab01a2361c99fb9d8c42acf2f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259493455.txt

Filesize
1KB

MD5
f5a0c061d53f195e16d0cf0196fe3b20

SHA1
472cefb347c18033c51bdf1def44a6489be0f9cf

SHA256
5307fc56266cfd6e1d2ebe49935d16315dc169818b8a64be58f90a29b0aa5680

SHA512
4a96f44fd974b9386e5eada8e1fa2ad108f07f93b999e4ac19b6003a14b3a436fbc4fb91426801a23c30035090470708b2ccdaee3bec29430872ab44ec6986dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509801.txt

Filesize
1KB

MD5
20a93adef70d35fed5ea928ce08d7a7e

SHA1
4b696c6e73cb182ce880d6a39d8ef2b794f759ac

SHA256
993382b03498e6c9c1c000706ca9809e6b2708c7448b2382f646c2ca8f985aa8

SHA512
ef5f5d495db510600d7fc0b3781bc303d3b2f330c75c7f6402a54edef33d5d46f196c4df858121b75477156bbffe1258b9104fa4a38503392209c1366f51b920

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259522930.txt

Filesize
1KB

MD5
8a7f77b0f42fb830feb97ce2a2ab0270

SHA1
b56a4b2675e08d084f07df315aa45efd661bc36b

SHA256
e8aeeca687f534f1170f9af33336f57eeeb43933031ccb347a063d13e549eff2

SHA512
6591b33027214b6f2c8aa2bfb9f472390a5d572068135019a5b3e874ea19dbd61b1e32b51105e0014f87896f2dac1467c481866349450e1e73e1b35d9895b6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259535571.txt

Filesize
1KB

MD5
ddc7e5429320f66949687d0a4306bc72

SHA1
e06e7233c39a5b1fa1ee96e03ad5541767099a7a

SHA256
119b25884349d7a33f4903235502b03b6a216c40df626811a3fc3131d812154c

SHA512
e140ebba4ec41295ccc18522025d4880387f0b30b799c3ef9cc972ee65318046088eaf7912c56663ec1b9e46910aaad5a7f5fe7ec14e609942dcc5980de760ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259551309.txt

Filesize
1KB

MD5
000693eea0beaad0c0fe0b0ffecc8b22

SHA1
733974c57efe55459b7e071f8e51918cec1d259a

SHA256
056d05ef96b5f43c67bfb7c6e77b286e70f1db39d81b5849d2d16c1838e835f8

SHA512
b039791a62328d07768933ac97f4ad65c755e86bdc5585c74858a4a92441038f80f04fcf8fb7122b855b5e1c0da48c44497f0b75e2eb531028cd5b9bf50d3e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570473.txt

Filesize
1KB

MD5
c092ab8a3dbf8eca9490610796c01653

SHA1
17254265d6bbb0e2587156e72988a6c7f7d9c29a

SHA256
eda8c56b3fa6444bffccfb1d980308a8ba7fb08c52094c76070259cddfea6a06

SHA512
8b9a06685aea37a80480e6fc57883f5bb247595c0acfae354344b4822528836d3ed2c659f6f71565099737ee70b4cabdfeea9a50ff4aa1c80ae5d418ebc077ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259581260.txt

Filesize
1KB

MD5
46ce2b0b07fa38c643cb671b6ec300c8

SHA1
f1412625bdb6ed8745a3d08f94dfe2f60fedab75

SHA256
7d332f962092ee837a5328bbf613f197440fb0e37840e5355a6474d9bc0cf694

SHA512
f4890e9091009a1c52a885e10f246248bc4e974ce8e976c4f08b2f22f34ebbce7c907a9d7162e6a99490950d3b3c00d598b7ee905549fe04f40a872ba6a77b6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf123fb93b8ddc285aa35e1091f62c7e

SHA1
6e6e4c4855e7ecb2eeae39c1a6be0b8396f58449

SHA256
a3930f523da5af68d789e57ecaa104c8f6b52e754201d4a6de21f8e5b293f2bd

SHA512
f49ec0aabee4111d3066725ac4a1a56e38c067ab7a5325c4f8a0c88dd178496ad55e12d1a6f881810d159cc10642680dc07d78293ad0c2d894a28a801c867caf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EB6ZCO1LOUEKOMWBRTVR.temp

Filesize
7KB

MD5
fbed5b5b3cd7bce38ad63b7f9aec7410

SHA1
f0047707048ebfe7b349e65053639221f99c16ac

SHA256
9fdb4b78917ca14cf81999a46ae55ca27af98554ab5eebdcdcb731f9fed90ac1

SHA512
90241cbc641f9f46d7ecb7ffe72c937c4786022f67a5a57e849a049d2a1a1b4a5edb79572a42d23ccee4212ad759fe413d09a72c846428d99a05fb6ec20b3707

Download Submit
C:\Users\Admin\AppData\Roaming\zanFaVXLBdzhSkd.vbs

Filesize
2KB

MD5
072196eaac1237e49891f84745b065fd

SHA1
97693ca12473e9db3ddafa988d91bc6b8da3842e

SHA256
6384e6f6e981dd89f039bfd8f007647a5bee11dc36973cb4482224f7f6948987

SHA512
0bc20439ab3cf5d5ceabec4d6682a394120ce19b31fa302218527f846aa2842be928c77c090d7c196c1df39aa0db710f61482aaff8384e193cb61cd60c8776c5

Download Submit
memory/2232-6-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2232-8-0x00000000029E0000-0x00000000029EA000-memory.dmp

Filesize
40KB

Download
memory/2232-7-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2520-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2520-16-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download