0fde9b33e59270b4d38b2a991aa968c85405732d9704ec072abd31eb402424a0

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref_0120_03_0015.vbe
Size

10KB
MD5

1bfbb8267511f5aa010a24eea8797445
SHA1

cdd1e3a4461537c7699ba7936612de22c86a39fc
SHA256

6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab
SHA512

32d8c347abb8335e50b16e19142d7cd7ea6922e064a15f3ba766015975ae3d2b062c8b82a7f6f97a3384762987c7d406bde4229b2976fb1c6d6d7aa1157323d9
SSDEEP

192:xzNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5WYleLMl/1uw5YOAxJ2HIK:FNElLAAKjBLf1UWobPlwMl/mcHp

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1724	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1552	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2984	powershell.exe
2984	powershell.exe
2436	powershell.exe
2436	powershell.exe
1060	powershell.exe
1060	powershell.exe
2948	powershell.exe
2948	powershell.exe
904	powershell.exe
904	powershell.exe
2228	powershell.exe
2228	powershell.exe
2220	powershell.exe
2220	powershell.exe
2528	powershell.exe
2528	powershell.exe
2856	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1552	WINWORD.EXE
1552	WINWORD.EXE
1552	WINWORD.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2132	2696	taskeng.exe	32
PID 2696 wrote to memory of 2132	2696	taskeng.exe	32
PID 2696 wrote to memory of 2132	2696	taskeng.exe	32
PID 2132 wrote to memory of 2984	2132	WScript.exe	34
PID 2132 wrote to memory of 2984	2132	WScript.exe	34
PID 2132 wrote to memory of 2984	2132	WScript.exe	34
PID 2984 wrote to memory of 2868	2984	powershell.exe	36
PID 2984 wrote to memory of 2868	2984	powershell.exe	36
PID 2984 wrote to memory of 2868	2984	powershell.exe	36
PID 2132 wrote to memory of 2436	2132	WScript.exe	37
PID 2132 wrote to memory of 2436	2132	WScript.exe	37
PID 2132 wrote to memory of 2436	2132	WScript.exe	37
PID 2436 wrote to memory of 2420	2436	powershell.exe	39
PID 2436 wrote to memory of 2420	2436	powershell.exe	39
PID 2436 wrote to memory of 2420	2436	powershell.exe	39
PID 2132 wrote to memory of 1060	2132	WScript.exe	40
PID 2132 wrote to memory of 1060	2132	WScript.exe	40
PID 2132 wrote to memory of 1060	2132	WScript.exe	40
PID 1060 wrote to memory of 1748	1060	powershell.exe	42
PID 1060 wrote to memory of 1748	1060	powershell.exe	42
PID 1060 wrote to memory of 1748	1060	powershell.exe	42
PID 2132 wrote to memory of 2948	2132	WScript.exe	43
PID 2132 wrote to memory of 2948	2132	WScript.exe	43
PID 2132 wrote to memory of 2948	2132	WScript.exe	43
PID 2948 wrote to memory of 2264	2948	powershell.exe	45
PID 2948 wrote to memory of 2264	2948	powershell.exe	45
PID 2948 wrote to memory of 2264	2948	powershell.exe	45
PID 2132 wrote to memory of 904	2132	WScript.exe	46
PID 2132 wrote to memory of 904	2132	WScript.exe	46
PID 2132 wrote to memory of 904	2132	WScript.exe	46
PID 904 wrote to memory of 1812	904	powershell.exe	48
PID 904 wrote to memory of 1812	904	powershell.exe	48
PID 904 wrote to memory of 1812	904	powershell.exe	48
PID 2132 wrote to memory of 2228	2132	WScript.exe	49
PID 2132 wrote to memory of 2228	2132	WScript.exe	49
PID 2132 wrote to memory of 2228	2132	WScript.exe	49
PID 2228 wrote to memory of 2040	2228	powershell.exe	51
PID 2228 wrote to memory of 2040	2228	powershell.exe	51
PID 2228 wrote to memory of 2040	2228	powershell.exe	51
PID 2132 wrote to memory of 2220	2132	WScript.exe	52
PID 2132 wrote to memory of 2220	2132	WScript.exe	52
PID 2132 wrote to memory of 2220	2132	WScript.exe	52
PID 2220 wrote to memory of 2164	2220	powershell.exe	54
PID 2220 wrote to memory of 2164	2220	powershell.exe	54
PID 2220 wrote to memory of 2164	2220	powershell.exe	54
PID 2132 wrote to memory of 2528	2132	WScript.exe	55
PID 2132 wrote to memory of 2528	2132	WScript.exe	55
PID 2132 wrote to memory of 2528	2132	WScript.exe	55
PID 2528 wrote to memory of 2764	2528	powershell.exe	57
PID 2528 wrote to memory of 2764	2528	powershell.exe	57
PID 2528 wrote to memory of 2764	2528	powershell.exe	57
PID 2132 wrote to memory of 2856	2132	WScript.exe	58
PID 2132 wrote to memory of 2856	2132	WScript.exe	58
PID 2132 wrote to memory of 2856	2132	WScript.exe	58
PID 1552 wrote to memory of 1164	1552	WINWORD.EXE	62
PID 1552 wrote to memory of 1164	1552	WINWORD.EXE	62
PID 1552 wrote to memory of 1164	1552	WINWORD.EXE	62
PID 1552 wrote to memory of 1164	1552	WINWORD.EXE	62
PID 2132 wrote to memory of 1568	2132	WScript.exe	63
PID 2132 wrote to memory of 1568	2132	WScript.exe	63
PID 2132 wrote to memory of 1568	2132	WScript.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref_0120_03_0015.vbe"
1⤵
- Blocklisted process makes network request
PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {D656F68F-C3A3-418E-96D9-2D1ABAB8451B} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2984" "1240"
      4⤵
      PID:2868
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2436" "1240"
      4⤵
      PID:2420
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1060" "1240"
      4⤵
      PID:1748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2948" "1240"
      4⤵
      PID:2264
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "904" "1248"
      4⤵
      PID:1812
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2228" "1236"
      4⤵
      PID:2040
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2220" "1240"
      4⤵
      PID:2164
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2528" "1236"
      4⤵
      PID:2764
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    PID:1568

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\SendRepair.dotx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259444970.txt

Filesize
1KB

MD5
e6f42282427247caa53d0f8e85613c60

SHA1
fff2f05030ccc6252fd2b8674327b3b2ab6041c6

SHA256
dc4afc607233f85baa90a8de962a15c38c6b0c1c6a34a440c8aa098335419753

SHA512
e9bf38cd7b4a358fb051318df9caaaab4f209e9e2d3fd4098e971dcfa82341049e7d3c353d4f3530d6299159cc9a677492dcc81b3fb534fa0d1680c5ed612180

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259464385.txt

Filesize
1KB

MD5
3114e7006980b345c92f292b00c67096

SHA1
3666bccbb57bf97ee8b9cca14acc336f74ea14bd

SHA256
a48ad5709d497161286473a03b76d22aa0a2aaf4a84d0f9453597185fa962650

SHA512
d5208acf07fee7f6df8c87e1da911a78ee372e24afc75e9ac44943e82f9df2eeeb7efeb63514952c1b50fc944dfd167acf57af31ada0b63eddc720ec93e1b424

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259478583.txt

Filesize
1KB

MD5
c10cffa3061e1f3996519be41dd82d08

SHA1
71e1e8dbeb0fc2a3fbba9d7eb4b0017113cc60a6

SHA256
31af55685e3f9620e733a75140cae87ad60de1dcacfc907fa054bc028632088d

SHA512
791d3b7efd217b616ef2d20b9b8ce41b374f6e97cbea971f2fea3900bf5711651a4b1afc4c0e43833a0344908ca18c1e80ddf21097fb3e237f49179a0fc4af6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490134.txt

Filesize
1KB

MD5
77533f44bce2fdbff662a55737c32d4f

SHA1
0140926b9503292af0a3557910fd4675dc3645cd

SHA256
8e6482b1a2f0591bf8b82b5d97398e686eaa55a8dac40668f4cd0cdbf70672bc

SHA512
e5e71d3551e12bde35cb70cd9d60fa4b64905668bfa1718a7f2fd85b5764ec3a9a019bb4664507e9dba134b9da536aaa11c1fbd70776b152a1dfb93f9842967e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259507798.txt

Filesize
1KB

MD5
a9c19d3c7301a4fac765cb8a261a8aa4

SHA1
2edf925ddd21f8f4db4f733141c56c21a931fad4

SHA256
0522796704790bc055be5cb9451cbcea1f9ee0814558441b4eb1623a9a89b469

SHA512
46fbbb796408b2dcc97f6c6770b7c9a29d152b3a48b2764b718b279838881062bc1bfd5f800ab9698bc61eefe1a9b3ce3619db58e9e4c71de0c8264948c024a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259525021.txt

Filesize
1KB

MD5
bdb8eff4f70148fb5e9290df8da1ef2d

SHA1
3e0414ada6c5b8e1da4bfe6bc525ebd3eac178c8

SHA256
825d33178a28f719df239ebbc155b130737bf63cf4a5d65e54e0e4e0f7921536

SHA512
f63fd728d07e26a7e666c666cb9fbe99aafc22dedd414c4035f37e042dbce4b6d001d3c1771c1b489e9dfa5d8a61c9d7ee62815252391ea0d5e36459799318b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259536043.txt

Filesize
1KB

MD5
7d22586110d355be93a4829825712184

SHA1
3dec630e10f4f773dd3e5c3c907efaa35e2fb78d

SHA256
7616a7b26c1cba05c7c7f7d68d7f393dd13decf210980b51d786e649fe3665e6

SHA512
93c060be4d786cbb8b3245466c67e449f02750bf54b0869bd77838620f369df902bbcf06f282216bab5176efa21c5a1bb9ed6d1fd2ec029cc9b47d86b1f61f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259555077.txt

Filesize
1KB

MD5
9dc19683da6e3b6da2078bd024f18eaf

SHA1
6fea36994976deee924f40420a3c86c276e3e2d7

SHA256
0aa34ca16bb28f8ab1b14d8adf9b7bd456b1cf3c291cfb00900bb89580b658b6

SHA512
ab1d42cfc4e5651e76ca46820c6624a630ba8a7281add0e2e2cc23d2b96eb9da15573bc5fa617a94db3015d9badd634e67f5060438a4331d8c3104c8cfd8785d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ccc2f084ca5925ca27619f1ed2e5f577

SHA1
f17b88934c1b017531f791d3bd5ab1caa9ed4a9b

SHA256
371b051795d2be5e70b97b8032005c96e59beec5ecfcd45c25b39ca285d5b64a

SHA512
7ce012becafae13518d7008ad027265fcafa1ae1ac915ac8d4877cc4c04bb2aeab806f9bc9f560cc5828a632940d92cf4f1100da242894edb21372b90714a486

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R56H2T3ASYUYRPNN7DPD.temp

Filesize
7KB

MD5
93f455d0cfdc4702d57cbaadc4ce8dcd

SHA1
d865d66cadf50ff1daace91ede0e97f7ca7e5d82

SHA256
a08f4f4d17a47798bd506da955741cc8f104cf8010a6fd5379cc63ea3bb15cc8

SHA512
4239190da591719e25a27db044f0e7414c36cd18bf8c5d4cd5dcd1f01d1a53e9e18304e686d792ce4e2091edfcdab8b05e327a893f4366a599fb5f737281d12d

Download Submit
C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs

Filesize
2KB

MD5
25081523b6bad63a6a500c519275b1ea

SHA1
a30fbcf4955cca68a5a2e459a9e7e7aa63461780

SHA256
a4eba77734c0262a5ff039848fccd63609a96dab352b13fb608c1167e41e8b70

SHA512
9befb54290eaad6eb34f16f6dc21cd6f7b003ab2dba664b71cc40d2beda2d6af7f42a5b6e4a8eb1b08445ff6ebd7a9f9cae7140e2826706ea4839fe5f4415914

Download Submit
memory/1552-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2436-16-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2436-17-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2856-73-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2856-74-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2984-8-0x0000000002B10000-0x0000000002B1A000-memory.dmp

Filesize
40KB

Download
memory/2984-7-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2984-6-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download