Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 10:00
Static task
static1
Behavioral task
behavioral1
Sample
DOC- 1000290099433.vbe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DOC- 1000290099433.vbe
Resource
win10v2004-20240802-en
General
-
Target
DOC- 1000290099433.vbe
-
Size
11KB
-
MD5
1ba91d56988897f8677cc18f54ac7e13
-
SHA1
1a51f7b8534c912b18053ac2371907f095128a93
-
SHA256
7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f
-
SHA512
192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f
-
SSDEEP
192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2272 WScript.exe -
Drops file in System32 directory 9 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 2680 powershell.exe 2680 powershell.exe 1536 powershell.exe 1536 powershell.exe 2904 powershell.exe 1820 powershell.exe 2904 powershell.exe 1096 powershell.exe 1096 powershell.exe 2436 powershell.exe 2436 powershell.exe 2132 powershell.exe 2132 powershell.exe 1616 powershell.exe 1616 powershell.exe 1168 powershell.exe 1168 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 1536 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeDebugPrivilege 2132 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1168 powershell.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 2456 wrote to memory of 1856 2456 taskeng.exe 32 PID 2456 wrote to memory of 1856 2456 taskeng.exe 32 PID 2456 wrote to memory of 1856 2456 taskeng.exe 32 PID 1856 wrote to memory of 2680 1856 WScript.exe 34 PID 1856 wrote to memory of 2680 1856 WScript.exe 34 PID 1856 wrote to memory of 2680 1856 WScript.exe 34 PID 2680 wrote to memory of 2592 2680 powershell.exe 36 PID 2680 wrote to memory of 2592 2680 powershell.exe 36 PID 2680 wrote to memory of 2592 2680 powershell.exe 36 PID 1856 wrote to memory of 1536 1856 WScript.exe 37 PID 1856 wrote to memory of 1536 1856 WScript.exe 37 PID 1856 wrote to memory of 1536 1856 WScript.exe 37 PID 1536 wrote to memory of 2920 1536 powershell.exe 39 PID 1536 wrote to memory of 2920 1536 powershell.exe 39 PID 1536 wrote to memory of 2920 1536 powershell.exe 39 PID 1856 wrote to memory of 2904 1856 WScript.exe 40 PID 1856 wrote to memory of 2904 1856 WScript.exe 40 PID 1856 wrote to memory of 2904 1856 WScript.exe 40 PID 1856 wrote to memory of 1820 1856 WScript.exe 42 PID 1856 wrote to memory of 1820 1856 WScript.exe 42 PID 1856 wrote to memory of 1820 1856 WScript.exe 42 PID 2904 wrote to memory of 1872 2904 powershell.exe 44 PID 2904 wrote to memory of 1872 2904 powershell.exe 44 PID 2904 wrote to memory of 1872 2904 powershell.exe 44 PID 1820 wrote to memory of 1400 1820 powershell.exe 45 PID 1820 wrote to memory of 1400 1820 powershell.exe 45 PID 1820 wrote to memory of 1400 1820 powershell.exe 45 PID 1856 wrote to memory of 1096 1856 WScript.exe 46 PID 1856 wrote to memory of 1096 1856 WScript.exe 46 PID 1856 wrote to memory of 1096 1856 WScript.exe 46 PID 1096 wrote to memory of 2432 1096 powershell.exe 48 PID 1096 wrote to memory of 2432 1096 powershell.exe 48 PID 1096 wrote to memory of 2432 1096 powershell.exe 48 PID 1856 wrote to memory of 2436 1856 WScript.exe 49 PID 1856 wrote to memory of 2436 1856 WScript.exe 49 PID 1856 wrote to memory of 2436 1856 WScript.exe 49 PID 2436 wrote to memory of 2188 2436 powershell.exe 51 PID 2436 wrote to memory of 2188 2436 powershell.exe 51 PID 2436 wrote to memory of 2188 2436 powershell.exe 51 PID 1856 wrote to memory of 2132 1856 WScript.exe 52 PID 1856 wrote to memory of 2132 1856 WScript.exe 52 PID 1856 wrote to memory of 2132 1856 WScript.exe 52 PID 2132 wrote to memory of 400 2132 powershell.exe 54 PID 2132 wrote to memory of 400 2132 powershell.exe 54 PID 2132 wrote to memory of 400 2132 powershell.exe 54 PID 1856 wrote to memory of 1616 1856 WScript.exe 55 PID 1856 wrote to memory of 1616 1856 WScript.exe 55 PID 1856 wrote to memory of 1616 1856 WScript.exe 55 PID 1616 wrote to memory of 1656 1616 powershell.exe 57 PID 1616 wrote to memory of 1656 1616 powershell.exe 57 PID 1616 wrote to memory of 1656 1616 powershell.exe 57 PID 1856 wrote to memory of 1168 1856 WScript.exe 58 PID 1856 wrote to memory of 1168 1856 WScript.exe 58 PID 1856 wrote to memory of 1168 1856 WScript.exe 58 PID 1168 wrote to memory of 2664 1168 powershell.exe 60 PID 1168 wrote to memory of 2664 1168 powershell.exe 60 PID 1168 wrote to memory of 2664 1168 powershell.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"1⤵
- Blocklisted process makes network request
PID:2272
-
C:\Windows\system32\taskeng.exetaskeng.exe {AB0F7D3C-F631-4FCE-939B-61F38659B681} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2680" "1240"4⤵PID:2592
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1536" "1240"4⤵PID:2920
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2904" "1240"4⤵PID:1872
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1820" "1128"4⤵PID:1400
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1096" "1240"4⤵PID:2432
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2436" "1240"4⤵PID:2188
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2132" "1240"4⤵PID:400
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1616" "1232"4⤵PID:1656
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1168" "1240"4⤵PID:2664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5073bad836d721b8194bef3fb8cc7e3cd
SHA1268c6f0953ac6d3d0b12734e664495d2c6fcbacc
SHA2561488b0d957b642d1aa5aa23d802b0080c6e7f8efc96ec9e4134ed03bbf8ee7f6
SHA512556e04c00d117e8691d867cf98d9ecf76eccbf50d623e3774989aa8694a521882ef54c9b86b17e5003aa1d6ed6fb611007ec54e67937e49e1e68b0a0b0599423
-
Filesize
1KB
MD52720698860a56e0fe8a146e2e005b2a0
SHA1a6331e0513e64b788fe582ccc721444a7754e430
SHA25687d97fa487348b042c0491e54463b5c3a1ac720d0395364feb619fa2ca3c1988
SHA5123c6eac1f70894cc390c802b285717012afe4e2c0a9ba7ad4e6f41d4715cd4069b992d4f8b53f9d60ece018738c24cdc74ab62a061835d01ff2dc5dc7f19a3caf
-
Filesize
1KB
MD580ea531fd7457c093b927220ac6adf56
SHA1720a1ddd23237ed80ea4c5cfe501221804dc00f6
SHA256284423a1305d35bb9aa975eefd7a1355e1b00eee6d5f4bb57ac9f9ec81b7e2d2
SHA51296cd59d88827bc883853698c5e980e2e834ed1a3f37585d14076ad93c600bd1355b2df43d3708c36828efd107c0095aff33306dcac16a16c851b7ad16cd11e88
-
Filesize
1KB
MD5c6103e45805fe0b6bca2bc0f19aacf60
SHA10d68276dc9940a4051526f91640bcec8ea3ee0ee
SHA256eace377e3f26b045936c6d3e677edb0c2e4d813fb1a2f822e302d2ef5bf2b18f
SHA512de8c700bd283d36541cfe9a386d2f9d7b8d20ecb2d0e55c31b448edf8381720d0fe704b1c4169283c72ae522bd923fe55f54bc57c19c0ee0c034abdeb548805a
-
Filesize
1KB
MD5b61ea2e0630f78f66aa27bc03c19e9b4
SHA16fb07f8f199a81df74b18b0f754de1139cca051e
SHA2565a61f3bf5aaf81987963e9fdd2ca66ca5aa6a873af1bac48dc231e5259db760f
SHA51262d5e012951e47528a12bd0a9937870bcfc021df0647615daf01d1ee5e2417518b9eff8ea9c05f6eba79e88d2c339de634092560a1506680c1439879ef217e06
-
Filesize
1KB
MD5845a913078431ad9720f3d11be7ce5f3
SHA156127c847303c39baecff6ee3e3b97d57c20cd44
SHA2563b08b90d48cc4140988251d22941464c81bfd371ce8b76571c46f74ac8344065
SHA5129b4e79bad72dbbb3db62592bb9a89eee609fbf5f88a2c4b8dff5fc0c32bc5cdf6ed2b7dabc01b1c6969ebdb51e5658388c380a7ee73962058284ec33a12ee167
-
Filesize
1KB
MD5454bbc38209acbfdfd6e808382a12e1c
SHA1d048bbbfa533281e116f099594d4da41e0e31af0
SHA25661e816bf5750c07c4a7e6a2235e3303cff136813d08ec1ec3f2d62a1cb611fe2
SHA512dcdf5c7fa39c535f23b55e7d106cf39933209e0e423ff8bf9ec60366552bf9bb9c37798f4ce991c92db999c9ab3699b1f373bec67fe68e85c11dcc838be51064
-
Filesize
1KB
MD5cc6702b035fd2bd51358fea9bc696662
SHA1a7c3639cfd05c4cc21541610c2652d5d8579a615
SHA2561fb8ab5969b8787fca5124ea1bde2868e110ecd6dd9fabc0b42b010ce5c01cf4
SHA512e033c8261ae0980c674f22b87de94c715f94ea8ff1ae72ddcb8810b4102ef396974246c8d98e1c0928c6d210dad4649c6450f14f4bd2e94ccb9454fe241ffc8b
-
Filesize
1KB
MD5bb7ca522c63ea61866d130a9715f5774
SHA13e538d304ee3a3fd22bb3ce248b7ef62e1589516
SHA256c6095acfc3b1d4a85b37fb347ff12f44286f1bc1f58c56b27e3df44b19db4cc2
SHA512b0baf4550d9aef3eca452c5d4633935d855d07bca6c2bbc3e8c6e5c6ef7a27dc39863a49f39420d72a878971113592c9f4b0700bf08ce95e502149e698a99062
-
Filesize
2KB
MD55df9cc7a167a8711770e63f29cc69d16
SHA1312cc26407eada041f5310a62fd73b99fd03a240
SHA256ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf
SHA512bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a67c16867a17643748920189e3a8569b
SHA1609437e919f1381c103118d6dee0631806bca027
SHA256822303cf320a01f8c68c004fc3fd0eb488b888c043e1e4ff26b541b6ea45fbdb
SHA5125dbd45f5b9f031e9d7679aba737077cfc51555e67948791ecf41223773979962310fa5d6a27a7da7b4c16824ffb3f85711593b54ce6d5b22c9ff8bb39c5a4d47