Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 11:18

General

  • Target

    DOC- 1000290099433.vbe

  • Size

    11KB

  • MD5

    1ba91d56988897f8677cc18f54ac7e13

  • SHA1

    1a51f7b8534c912b18053ac2371907f095128a93

  • SHA256

    7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f

  • SHA512

    192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f

  • SSDEEP

    192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2704
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {35D32A82-4E1C-4AB8-9A10-83D026146B14} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2672" "1244"
          4⤵
            PID:2416
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "3056" "1240"
            4⤵
              PID:2108
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1272
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1272" "1252"
              4⤵
                PID:2648
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2904
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "2904" "1240"
                4⤵
                  PID:572
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2440
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "2440" "1248"
                  4⤵
                    PID:2380
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2220
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "2220" "1248"
                    4⤵
                      PID:2360
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1996
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "1996" "1240"
                      4⤵
                        PID:2276
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1732
                      • C:\Windows\system32\wermgr.exe
                        "C:\Windows\system32\wermgr.exe" "-outproc" "1732" "1244"
                        4⤵
                          PID:1672
                      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                        3⤵
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2488
                        • C:\Windows\system32\wermgr.exe
                          "C:\Windows\system32\wermgr.exe" "-outproc" "2488" "1240"
                          4⤵
                            PID:2640
                        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                          3⤵
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1572
                          • C:\Windows\system32\wermgr.exe
                            "C:\Windows\system32\wermgr.exe" "-outproc" "1572" "1252"
                            4⤵
                              PID:2316

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259456330.txt

                        Filesize

                        1KB

                        MD5

                        36efc546dce6080c20e1ea103f2aeec0

                        SHA1

                        e1e25dcd7f2e017323934266f3964d2813794858

                        SHA256

                        0b1ba4accfc0729a146571120951a83a0f4747e847de1fdf3037be32192a2338

                        SHA512

                        a02b3e5556a6cc426de5d0795ba21049d88d5f59fd12ba7037a7129d28105987ea939426f74e4cb5df2244c0e22c5127592a147c5e9dd205a58a613c6469794f

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259471750.txt

                        Filesize

                        1KB

                        MD5

                        d5b732b7a29f844a745131aa4485ce7a

                        SHA1

                        8ddfe78fdfbbdfc4e7d7cfb5ed79fc2ac9669513

                        SHA256

                        075998300267505dc08405359193cfeb91def4039b0ea042a59da78284c72a7e

                        SHA512

                        c779bc090fa2843ee562e9cd3af9d5569c7450b29821e81f42760166ab4d5aa743091df26284c0799ccf01f8c4ea76784ace493bca447a9bc3612efc4cfbf187

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259483777.txt

                        Filesize

                        1KB

                        MD5

                        79f0c06086388b57fc15049c0ea304e0

                        SHA1

                        9ae770a1727f28e7c05a6746278d02dec5f02619

                        SHA256

                        705a4cc8501a6a325e8c12b11850a98f1d2b6acc5c674cea17cdc32495684dc7

                        SHA512

                        ec1749e62f468d4a65d934f81feca830645ff1d1dead1623e4c14a4e9e773cb3467cc198b255380c6d467fe8af0354a2c37f6e09f5ef1e434179b8a44d841e72

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259498807.txt

                        Filesize

                        1KB

                        MD5

                        a14178c97b8f511fca89f6979bb246a0

                        SHA1

                        4b86de33e600bd686b2e400bb16c7500b1d66c50

                        SHA256

                        22d55fa68c58bc664159595714489c200a331b8a65356e31760ef113aac4b51d

                        SHA512

                        6e4565dc6c7e200f732053a58a30ab32bcad32dcbff378750ad61cf7d76e92986dc05a687bdca35979f3bacc841aa438849452a27eeae2657e7dc4ea7b74c507

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259517110.txt

                        Filesize

                        1KB

                        MD5

                        148e4e2324985b8a0cf893532a24a04f

                        SHA1

                        32b1e78bf6281d2f062fbfa1e4aebc1584dc70c5

                        SHA256

                        3a3a2f02204d44a922ab5d3ccbf75ef78602947798e8a2ee9174217d528060b7

                        SHA512

                        c1fe194c54b17bf92f6e4b0d11ae2005aa9322ffd23678369d848765f8ff90f36f557ee2acb9a89bff7f293bab8be2d741e57632aa6f9a0a33f4a9fafff5d637

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259528228.txt

                        Filesize

                        1KB

                        MD5

                        9d019acdf73bf5b6c6fb2f7df2c98e0b

                        SHA1

                        c977dad6432dfb11a22a94c54a203ff169a3f72d

                        SHA256

                        8017eb4be2e26def0922375f6eb3601ac6ebdcc9147b5c36fe0a291c75638bd9

                        SHA512

                        36a7bb8206d6ee201ab1e87df541ddebd70175b3ad261ea11a65a059ee86333d8b7ab479f7636f9b24603ed31d9e5499baeebd8347919c05228ba043f992374a

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259546687.txt

                        Filesize

                        1KB

                        MD5

                        86e0d68d9d6d7b335a14e15aeaa28b19

                        SHA1

                        fc35ea18d315c1c11e04ed8f3613daa3b676accd

                        SHA256

                        02e7f10f0a8a6f0e4c3f88a10b95cdfdac9b91b7901e657abbad6f735426348c

                        SHA512

                        6080c6dc6eb842851ed73026a5c99e44065cb3ab86ee98899c8c047f58298187654a619620a19f0863c6ddeba05eb662cb4e8e1f81c73df12b2bab4cb7c57164

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559972.txt

                        Filesize

                        1KB

                        MD5

                        0bc871c01ba4913a3c940f9e04b450a9

                        SHA1

                        48b505d9de64521f13974b7951a52c7f0d4ef245

                        SHA256

                        3769cd33434836e71049077ca2c6599b77edd79c6ebca0ec00d07fbbefbe0899

                        SHA512

                        60983e474120ed70a026546a003026d0f5f2b00f2d7ee8bf7d84551f1508088cc87f63f95691edc2ab03926355b6d30e8e1e15954cbf3a12e92eb1c17c3fbdb0

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259578354.txt

                        Filesize

                        1KB

                        MD5

                        48515ce3f1de300b7e174033cd158962

                        SHA1

                        cea7d1347f6694f361d0c3dbb9c3691b05b2674d

                        SHA256

                        655184f51253b284dceb4c28e9ec711baf29a8cd22c66876f1c0f78e24f5e2ce

                        SHA512

                        f18d604204e6c5c67343b3257f00c93d6666502bded55843b4da86f81a9779c04c68dda1fac904839de50898fdd6171b50c9d2c60d4fba20bcd522e915b9a6da

                      • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259591468.txt

                        Filesize

                        1KB

                        MD5

                        c70add2a23683eec195d6775b61879f0

                        SHA1

                        b6b5f87e69223a3d891b830347dc5670720ed0a5

                        SHA256

                        896dd231ba91b6bc4f33ca52fd6a93009acee196bcd28eb69da7c92c255f00d9

                        SHA512

                        91210e86c76af2aeb90bdf979c7a1cf0a0279b72bfc18eb595357de51cd811664bf40f7bade9bf2e1e32725b93267be8643dc78bb6a0fc3c12273603d603b517

                      • C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs

                        Filesize

                        2KB

                        MD5

                        5df9cc7a167a8711770e63f29cc69d16

                        SHA1

                        312cc26407eada041f5310a62fd73b99fd03a240

                        SHA256

                        ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf

                        SHA512

                        bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                        Filesize

                        7KB

                        MD5

                        d05c79b3a911738267c0114bbedf2b0b

                        SHA1

                        4203435749dc77088af85d27a33b3388535334e8

                        SHA256

                        bc5f7a61ef86a57ee499f52a0da96e24ba4a1f9b4dca2fc2bc00e729ba0c8b91

                        SHA512

                        97347741847d028ec2cf577195bd41012a2d2a94afef9c25b0f15f5f204491acb248e8ad05c25b60e6e8747f76286f3aa406f31710eeaa814b33ea5b27ee98d5

                      • memory/2672-6-0x000000001B830000-0x000000001BB12000-memory.dmp

                        Filesize

                        2.9MB

                      • memory/2672-7-0x0000000002240000-0x0000000002248000-memory.dmp

                        Filesize

                        32KB

                      • memory/2672-8-0x0000000002A60000-0x0000000002A6A000-memory.dmp

                        Filesize

                        40KB

                      • memory/3056-18-0x00000000023C0000-0x00000000023C8000-memory.dmp

                        Filesize

                        32KB

                      • memory/3056-17-0x000000001B690000-0x000000001B972000-memory.dmp

                        Filesize

                        2.9MB