0fde9b33e59270b4d38b2a991aa968c85405732d9704ec072abd31eb402424a0

Analysis

max time kernel
146s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref_0120_03_0015.vbe
Size

10KB
MD5

1bfbb8267511f5aa010a24eea8797445
SHA1

cdd1e3a4461537c7699ba7936612de22c86a39fc
SHA256

6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab
SHA512

32d8c347abb8335e50b16e19142d7cd7ea6922e064a15f3ba766015975ae3d2b062c8b82a7f6f97a3384762987c7d406bde4229b2976fb1c6d6d7aa1157323d9
SSDEEP

192:xzNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5WYleLMl/1uw5YOAxJ2HIK:FNElLAAKjBLf1UWobPlwMl/mcHp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2320	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2640	powershell.exe
2640	powershell.exe
1236	powershell.exe
1236	powershell.exe
3056	powershell.exe
3056	powershell.exe
2212	powershell.exe
2212	powershell.exe
1792	powershell.exe
1792	powershell.exe
292	powershell.exe
292	powershell.exe
796	powershell.exe
796	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2880	2600	taskeng.exe	30
PID 2600 wrote to memory of 2880	2600	taskeng.exe	30
PID 2600 wrote to memory of 2880	2600	taskeng.exe	30
PID 2880 wrote to memory of 2640	2880	WScript.exe	32
PID 2880 wrote to memory of 2640	2880	WScript.exe	32
PID 2880 wrote to memory of 2640	2880	WScript.exe	32
PID 2640 wrote to memory of 1212	2640	powershell.exe	34
PID 2640 wrote to memory of 1212	2640	powershell.exe	34
PID 2640 wrote to memory of 1212	2640	powershell.exe	34
PID 2880 wrote to memory of 1236	2880	WScript.exe	35
PID 2880 wrote to memory of 1236	2880	WScript.exe	35
PID 2880 wrote to memory of 1236	2880	WScript.exe	35
PID 1236 wrote to memory of 1140	1236	powershell.exe	37
PID 1236 wrote to memory of 1140	1236	powershell.exe	37
PID 1236 wrote to memory of 1140	1236	powershell.exe	37
PID 2880 wrote to memory of 3056	2880	WScript.exe	38
PID 2880 wrote to memory of 3056	2880	WScript.exe	38
PID 2880 wrote to memory of 3056	2880	WScript.exe	38
PID 3056 wrote to memory of 400	3056	powershell.exe	40
PID 3056 wrote to memory of 400	3056	powershell.exe	40
PID 3056 wrote to memory of 400	3056	powershell.exe	40
PID 2880 wrote to memory of 2212	2880	WScript.exe	41
PID 2880 wrote to memory of 2212	2880	WScript.exe	41
PID 2880 wrote to memory of 2212	2880	WScript.exe	41
PID 2212 wrote to memory of 1972	2212	powershell.exe	43
PID 2212 wrote to memory of 1972	2212	powershell.exe	43
PID 2212 wrote to memory of 1972	2212	powershell.exe	43
PID 2880 wrote to memory of 1792	2880	WScript.exe	44
PID 2880 wrote to memory of 1792	2880	WScript.exe	44
PID 2880 wrote to memory of 1792	2880	WScript.exe	44
PID 1792 wrote to memory of 1700	1792	powershell.exe	46
PID 1792 wrote to memory of 1700	1792	powershell.exe	46
PID 1792 wrote to memory of 1700	1792	powershell.exe	46
PID 2880 wrote to memory of 292	2880	WScript.exe	47
PID 2880 wrote to memory of 292	2880	WScript.exe	47
PID 2880 wrote to memory of 292	2880	WScript.exe	47
PID 292 wrote to memory of 1484	292	powershell.exe	49
PID 292 wrote to memory of 1484	292	powershell.exe	49
PID 292 wrote to memory of 1484	292	powershell.exe	49
PID 2880 wrote to memory of 796	2880	WScript.exe	50
PID 2880 wrote to memory of 796	2880	WScript.exe	50
PID 2880 wrote to memory of 796	2880	WScript.exe	50
PID 796 wrote to memory of 1936	796	powershell.exe	52
PID 796 wrote to memory of 1936	796	powershell.exe	52
PID 796 wrote to memory of 1936	796	powershell.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref_0120_03_0015.vbe"
1⤵
- Blocklisted process makes network request
PID:2320

C:\Windows\system32\taskeng.exe
taskeng.exe {6D6B0C63-E576-4D60-B8E7-49EDC368D629} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2640" "1240"
      4⤵
      PID:1212
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1236" "1236"
      4⤵
      PID:1140
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3056" "1236"
      4⤵
      PID:400
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2212" "1240"
      4⤵
      PID:1972
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1792" "1240"
      4⤵
      PID:1700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:292
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "292" "1244"
      4⤵
      PID:1484
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "796" "1236"
      4⤵
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259623018.txt

Filesize
1KB

MD5
0858f9c6015f8769108709657e72bca0

SHA1
21d557cc5914988e39ea3cfb32024d58097180ea

SHA256
225aeeb99d02459d2808d9a1a43ab3d27b39004c8183bf4f1eb060f8d47b8ba3

SHA512
1ea85609ecba23398e956128c4d63041940a1886546aae1eb6de72cb24a2a8ef0af073b8ec0d9c724d2e715bd37365ef1502ff7296cd7c28e71e569848181d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259637233.txt

Filesize
1KB

MD5
c6d9a9a08f15f6f9421681a57095be63

SHA1
6d1ef7c483e2b09b69ab1a25dd7231068e18a5b8

SHA256
6f3a31891779894832f97636c6217a983c0400064e555437163e0518b2252342

SHA512
aad50d1d1bac617ec5e7f97417f97b613bf812964309eae621610fbc32ccd2a7b1cfaf6301698e824dfc516a3e907831d1c7c0184317bda022cc07b60e9dc39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259653139.txt

Filesize
1KB

MD5
c5c0d4509671515656cbc345bdbf1c0c

SHA1
923ba5bcf0c74b5cea55d3c2d0448b60d435988b

SHA256
32d24cf42b585b3d0ffa22228523669a8eeb1a990edbc26d68ecaf640ebcd665

SHA512
da3f27044f8c5c0e16acc84f8e6b7cf226bb05fe6164f0eadedd83259686a30b85bfe6fb59a0b53b8006ecda8fda17bb410fd619b6a05455aaa2d74692bce619

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259668036.txt

Filesize
1KB

MD5
ceae24ec634469272d84893c0d36d444

SHA1
853c3225f066caafcf0b014f8e6129bf0a41916c

SHA256
b49ea862f50a512098389319fb760e5740a4e6fdcf23fc1d2bda7d3179168092

SHA512
89c0ab9a499410357c90f5aec03d1305e50796f7775749ce35a90002556b9f85ec6a227848a3d50dcf8826ae3ddfe843c462d43169c9c9987539260536355309

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259681517.txt

Filesize
1KB

MD5
c3c478783b3e3363b3466d6ff158a5a9

SHA1
d8288e9284b196fd779a144c08801644ee66c806

SHA256
54c5f3ad380b7ea5b78722c98e3786604b30074c1215c7ba6266cd68dd24ef06

SHA512
01d956808cc8baefb2b712d7ddebec4ea7726babcdbf3e43946fd591a9fce6000be581873fb6dcda931a3eefe38ebd245e07bfb9f1b19a6c30575b8611cc762d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259696605.txt

Filesize
1KB

MD5
dd19e2f520ae7601ae483ec0158ec7f1

SHA1
9af43ced6dd3fb9275daed189856879339a674e9

SHA256
d21ed79c268eb50c404b337c2844d4b6f2e20cb36ba9f71a79081fa451ceca8b

SHA512
2076c67775bec505249a2417c9e55f0fcad7c37f1864ed19b6922f040d2cc4e5d745370724ba8ea900ea47540c073d1bbea43ffda871eda23e2f412bfc899735

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259711258.txt

Filesize
1KB

MD5
c8107729a3b364f2a371e41ea92c8088

SHA1
2b70b81111f4d12d9b80fdff81413dbe45b55823

SHA256
3d041f2f01e8e97c7b6f7d63efbcce7b2b384f819bb5970233e38d4700f2ae7e

SHA512
7c5599e59497a6c43272034211304342c1c32090b43666cc13ab68fb8ce0c3a0330feef6842633953aa0de71ebbeaf76796e8f372d2f796a70cccefbea816ff0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
62a89bd9f18f467859579d70b90f3e2b

SHA1
79801bcc1c8590b11572133cb1313a188d769d6d

SHA256
b8723305e68b1d63438629c65a0e4dde51d7b346369794724543f072502e6407

SHA512
c814534d99ddc45b557c1915320e6018239ab3e0410f33c60ef34560c5aa25b224d92b7012188ca494a7b71e2acc6a03d4bcbab07d65428d75bf152529a7775a

Download Submit
C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs

Filesize
2KB

MD5
25081523b6bad63a6a500c519275b1ea

SHA1
a30fbcf4955cca68a5a2e459a9e7e7aa63461780

SHA256
a4eba77734c0262a5ff039848fccd63609a96dab352b13fb608c1167e41e8b70

SHA512
9befb54290eaad6eb34f16f6dc21cd6f7b003ab2dba664b71cc40d2beda2d6af7f42a5b6e4a8eb1b08445ff6ebd7a9f9cae7140e2826706ea4839fe5f4415914

Download Submit
memory/1236-16-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1236-17-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2640-8-0x0000000002A70000-0x0000000002A7A000-memory.dmp

Filesize
40KB

Download
memory/2640-7-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2640-6-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download