Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 10:00

General

  • Target

    DOC- 1000290099433.vbe

  • Size

    11KB

  • MD5

    1ba91d56988897f8677cc18f54ac7e13

  • SHA1

    1a51f7b8534c912b18053ac2371907f095128a93

  • SHA256

    7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f

  • SHA512

    192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f

  • SSDEEP

    192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2272
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AB0F7D3C-F631-4FCE-939B-61F38659B681} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1856
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2680" "1240"
          4⤵
            PID:2592
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1536
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "1536" "1240"
            4⤵
              PID:2920
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2904
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "2904" "1240"
              4⤵
                PID:1872
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1820
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "1820" "1128"
                4⤵
                  PID:1400
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1096
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "1096" "1240"
                  4⤵
                    PID:2432
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2436
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "2436" "1240"
                    4⤵
                      PID:2188
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2132
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "2132" "1240"
                      4⤵
                        PID:400
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1616
                      • C:\Windows\system32\wermgr.exe
                        "C:\Windows\system32\wermgr.exe" "-outproc" "1616" "1232"
                        4⤵
                          PID:1656
                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                        3⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1168
                        • C:\Windows\system32\wermgr.exe
                          "C:\Windows\system32\wermgr.exe" "-outproc" "1168" "1240"
                          4⤵
                            PID:2664

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259462844.txt

                      Filesize

                      1KB

                      MD5

                      073bad836d721b8194bef3fb8cc7e3cd

                      SHA1

                      268c6f0953ac6d3d0b12734e664495d2c6fcbacc

                      SHA256

                      1488b0d957b642d1aa5aa23d802b0080c6e7f8efc96ec9e4134ed03bbf8ee7f6

                      SHA512

                      556e04c00d117e8691d867cf98d9ecf76eccbf50d623e3774989aa8694a521882ef54c9b86b17e5003aa1d6ed6fb611007ec54e67937e49e1e68b0a0b0599423

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259477828.txt

                      Filesize

                      1KB

                      MD5

                      2720698860a56e0fe8a146e2e005b2a0

                      SHA1

                      a6331e0513e64b788fe582ccc721444a7754e430

                      SHA256

                      87d97fa487348b042c0491e54463b5c3a1ac720d0395364feb619fa2ca3c1988

                      SHA512

                      3c6eac1f70894cc390c802b285717012afe4e2c0a9ba7ad4e6f41d4715cd4069b992d4f8b53f9d60ece018738c24cdc74ab62a061835d01ff2dc5dc7f19a3caf

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259508027.txt

                      Filesize

                      1KB

                      MD5

                      80ea531fd7457c093b927220ac6adf56

                      SHA1

                      720a1ddd23237ed80ea4c5cfe501221804dc00f6

                      SHA256

                      284423a1305d35bb9aa975eefd7a1355e1b00eee6d5f4bb57ac9f9ec81b7e2d2

                      SHA512

                      96cd59d88827bc883853698c5e980e2e834ed1a3f37585d14076ad93c600bd1355b2df43d3708c36828efd107c0095aff33306dcac16a16c851b7ad16cd11e88

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509151.txt

                      Filesize

                      1KB

                      MD5

                      c6103e45805fe0b6bca2bc0f19aacf60

                      SHA1

                      0d68276dc9940a4051526f91640bcec8ea3ee0ee

                      SHA256

                      eace377e3f26b045936c6d3e677edb0c2e4d813fb1a2f822e302d2ef5bf2b18f

                      SHA512

                      de8c700bd283d36541cfe9a386d2f9d7b8d20ecb2d0e55c31b448edf8381720d0fe704b1c4169283c72ae522bd923fe55f54bc57c19c0ee0c034abdeb548805a

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523558.txt

                      Filesize

                      1KB

                      MD5

                      b61ea2e0630f78f66aa27bc03c19e9b4

                      SHA1

                      6fb07f8f199a81df74b18b0f754de1139cca051e

                      SHA256

                      5a61f3bf5aaf81987963e9fdd2ca66ca5aa6a873af1bac48dc231e5259db760f

                      SHA512

                      62d5e012951e47528a12bd0a9937870bcfc021df0647615daf01d1ee5e2417518b9eff8ea9c05f6eba79e88d2c339de634092560a1506680c1439879ef217e06

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259541993.txt

                      Filesize

                      1KB

                      MD5

                      845a913078431ad9720f3d11be7ce5f3

                      SHA1

                      56127c847303c39baecff6ee3e3b97d57c20cd44

                      SHA256

                      3b08b90d48cc4140988251d22941464c81bfd371ce8b76571c46f74ac8344065

                      SHA512

                      9b4e79bad72dbbb3db62592bb9a89eee609fbf5f88a2c4b8dff5fc0c32bc5cdf6ed2b7dabc01b1c6969ebdb51e5658388c380a7ee73962058284ec33a12ee167

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259552764.txt

                      Filesize

                      1KB

                      MD5

                      454bbc38209acbfdfd6e808382a12e1c

                      SHA1

                      d048bbbfa533281e116f099594d4da41e0e31af0

                      SHA256

                      61e816bf5750c07c4a7e6a2235e3303cff136813d08ec1ec3f2d62a1cb611fe2

                      SHA512

                      dcdf5c7fa39c535f23b55e7d106cf39933209e0e423ff8bf9ec60366552bf9bb9c37798f4ce991c92db999c9ab3699b1f373bec67fe68e85c11dcc838be51064

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259571320.txt

                      Filesize

                      1KB

                      MD5

                      cc6702b035fd2bd51358fea9bc696662

                      SHA1

                      a7c3639cfd05c4cc21541610c2652d5d8579a615

                      SHA256

                      1fb8ab5969b8787fca5124ea1bde2868e110ecd6dd9fabc0b42b010ce5c01cf4

                      SHA512

                      e033c8261ae0980c674f22b87de94c715f94ea8ff1ae72ddcb8810b4102ef396974246c8d98e1c0928c6d210dad4649c6450f14f4bd2e94ccb9454fe241ffc8b

                    • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259585811.txt

                      Filesize

                      1KB

                      MD5

                      bb7ca522c63ea61866d130a9715f5774

                      SHA1

                      3e538d304ee3a3fd22bb3ce248b7ef62e1589516

                      SHA256

                      c6095acfc3b1d4a85b37fb347ff12f44286f1bc1f58c56b27e3df44b19db4cc2

                      SHA512

                      b0baf4550d9aef3eca452c5d4633935d855d07bca6c2bbc3e8c6e5c6ef7a27dc39863a49f39420d72a878971113592c9f4b0700bf08ce95e502149e698a99062

                    • C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs

                      Filesize

                      2KB

                      MD5

                      5df9cc7a167a8711770e63f29cc69d16

                      SHA1

                      312cc26407eada041f5310a62fd73b99fd03a240

                      SHA256

                      ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf

                      SHA512

                      bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      a67c16867a17643748920189e3a8569b

                      SHA1

                      609437e919f1381c103118d6dee0631806bca027

                      SHA256

                      822303cf320a01f8c68c004fc3fd0eb488b888c043e1e4ff26b541b6ea45fbdb

                      SHA512

                      5dbd45f5b9f031e9d7679aba737077cfc51555e67948791ecf41223773979962310fa5d6a27a7da7b4c16824ffb3f85711593b54ce6d5b22c9ff8bb39c5a4d47

                    • memory/1536-17-0x0000000002770000-0x0000000002778000-memory.dmp

                      Filesize

                      32KB

                    • memory/1536-16-0x000000001B640000-0x000000001B922000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/2680-7-0x0000000002890000-0x0000000002898000-memory.dmp

                      Filesize

                      32KB

                    • memory/2680-6-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/2680-8-0x0000000002AE0000-0x0000000002AEA000-memory.dmp

                      Filesize

                      40KB