Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
DOC- 1000290099433.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DOC- 1000290099433.vbe
Resource
win10v2004-20240802-en
General
-
Target
DOC- 1000290099433.vbe
-
Size
11KB
-
MD5
1ba91d56988897f8677cc18f54ac7e13
-
SHA1
1a51f7b8534c912b18053ac2371907f095128a93
-
SHA256
7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f
-
SHA512
192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f
-
SSDEEP
192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2704 WScript.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 2672 powershell.exe 2672 powershell.exe 3056 powershell.exe 3056 powershell.exe 1272 powershell.exe 1272 powershell.exe 2904 powershell.exe 2904 powershell.exe 2440 powershell.exe 2440 powershell.exe 2220 powershell.exe 2220 powershell.exe 1996 powershell.exe 1996 powershell.exe 1732 powershell.exe 1732 powershell.exe 2488 powershell.exe 2488 powershell.exe 1572 powershell.exe 1572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeDebugPrivilege 1272 powershell.exe Token: SeDebugPrivilege 2904 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2300 wrote to memory of 2320 2300 taskeng.exe 32 PID 2300 wrote to memory of 2320 2300 taskeng.exe 32 PID 2300 wrote to memory of 2320 2300 taskeng.exe 32 PID 2320 wrote to memory of 2672 2320 WScript.exe 34 PID 2320 wrote to memory of 2672 2320 WScript.exe 34 PID 2320 wrote to memory of 2672 2320 WScript.exe 34 PID 2672 wrote to memory of 2416 2672 powershell.exe 36 PID 2672 wrote to memory of 2416 2672 powershell.exe 36 PID 2672 wrote to memory of 2416 2672 powershell.exe 36 PID 2320 wrote to memory of 3056 2320 WScript.exe 37 PID 2320 wrote to memory of 3056 2320 WScript.exe 37 PID 2320 wrote to memory of 3056 2320 WScript.exe 37 PID 3056 wrote to memory of 2108 3056 powershell.exe 39 PID 3056 wrote to memory of 2108 3056 powershell.exe 39 PID 3056 wrote to memory of 2108 3056 powershell.exe 39 PID 2320 wrote to memory of 1272 2320 WScript.exe 40 PID 2320 wrote to memory of 1272 2320 WScript.exe 40 PID 2320 wrote to memory of 1272 2320 WScript.exe 40 PID 1272 wrote to memory of 2648 1272 powershell.exe 42 PID 1272 wrote to memory of 2648 1272 powershell.exe 42 PID 1272 wrote to memory of 2648 1272 powershell.exe 42 PID 2320 wrote to memory of 2904 2320 WScript.exe 43 PID 2320 wrote to memory of 2904 2320 WScript.exe 43 PID 2320 wrote to memory of 2904 2320 WScript.exe 43 PID 2904 wrote to memory of 572 2904 powershell.exe 45 PID 2904 wrote to memory of 572 2904 powershell.exe 45 PID 2904 wrote to memory of 572 2904 powershell.exe 45 PID 2320 wrote to memory of 2440 2320 WScript.exe 46 PID 2320 wrote to memory of 2440 2320 WScript.exe 46 PID 2320 wrote to memory of 2440 2320 WScript.exe 46 PID 2440 wrote to memory of 2380 2440 powershell.exe 48 PID 2440 wrote to memory of 2380 2440 powershell.exe 48 PID 2440 wrote to memory of 2380 2440 powershell.exe 48 PID 2320 wrote to memory of 2220 2320 WScript.exe 50 PID 2320 wrote to memory of 2220 2320 WScript.exe 50 PID 2320 wrote to memory of 2220 2320 WScript.exe 50 PID 2220 wrote to memory of 2360 2220 powershell.exe 52 PID 2220 wrote to memory of 2360 2220 powershell.exe 52 PID 2220 wrote to memory of 2360 2220 powershell.exe 52 PID 2320 wrote to memory of 1996 2320 WScript.exe 53 PID 2320 wrote to memory of 1996 2320 WScript.exe 53 PID 2320 wrote to memory of 1996 2320 WScript.exe 53 PID 1996 wrote to memory of 2276 1996 powershell.exe 55 PID 1996 wrote to memory of 2276 1996 powershell.exe 55 PID 1996 wrote to memory of 2276 1996 powershell.exe 55 PID 2320 wrote to memory of 1732 2320 WScript.exe 56 PID 2320 wrote to memory of 1732 2320 WScript.exe 56 PID 2320 wrote to memory of 1732 2320 WScript.exe 56 PID 1732 wrote to memory of 1672 1732 powershell.exe 58 PID 1732 wrote to memory of 1672 1732 powershell.exe 58 PID 1732 wrote to memory of 1672 1732 powershell.exe 58 PID 2320 wrote to memory of 2488 2320 WScript.exe 59 PID 2320 wrote to memory of 2488 2320 WScript.exe 59 PID 2320 wrote to memory of 2488 2320 WScript.exe 59 PID 2488 wrote to memory of 2640 2488 powershell.exe 61 PID 2488 wrote to memory of 2640 2488 powershell.exe 61 PID 2488 wrote to memory of 2640 2488 powershell.exe 61 PID 2320 wrote to memory of 1572 2320 WScript.exe 62 PID 2320 wrote to memory of 1572 2320 WScript.exe 62 PID 2320 wrote to memory of 1572 2320 WScript.exe 62 PID 1572 wrote to memory of 2316 1572 powershell.exe 64 PID 1572 wrote to memory of 2316 1572 powershell.exe 64 PID 1572 wrote to memory of 2316 1572 powershell.exe 64 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"1⤵
- Blocklisted process makes network request
PID:2704
-
C:\Windows\system32\taskeng.exetaskeng.exe {35D32A82-4E1C-4AB8-9A10-83D026146B14} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2672" "1244"4⤵PID:2416
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3056" "1240"4⤵PID:2108
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1272" "1252"4⤵PID:2648
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2904" "1240"4⤵PID:572
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2440" "1248"4⤵PID:2380
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2220" "1248"4⤵PID:2360
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1996" "1240"4⤵PID:2276
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1732" "1244"4⤵PID:1672
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2488" "1240"4⤵PID:2640
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1572" "1252"4⤵PID:2316
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD536efc546dce6080c20e1ea103f2aeec0
SHA1e1e25dcd7f2e017323934266f3964d2813794858
SHA2560b1ba4accfc0729a146571120951a83a0f4747e847de1fdf3037be32192a2338
SHA512a02b3e5556a6cc426de5d0795ba21049d88d5f59fd12ba7037a7129d28105987ea939426f74e4cb5df2244c0e22c5127592a147c5e9dd205a58a613c6469794f
-
Filesize
1KB
MD5d5b732b7a29f844a745131aa4485ce7a
SHA18ddfe78fdfbbdfc4e7d7cfb5ed79fc2ac9669513
SHA256075998300267505dc08405359193cfeb91def4039b0ea042a59da78284c72a7e
SHA512c779bc090fa2843ee562e9cd3af9d5569c7450b29821e81f42760166ab4d5aa743091df26284c0799ccf01f8c4ea76784ace493bca447a9bc3612efc4cfbf187
-
Filesize
1KB
MD579f0c06086388b57fc15049c0ea304e0
SHA19ae770a1727f28e7c05a6746278d02dec5f02619
SHA256705a4cc8501a6a325e8c12b11850a98f1d2b6acc5c674cea17cdc32495684dc7
SHA512ec1749e62f468d4a65d934f81feca830645ff1d1dead1623e4c14a4e9e773cb3467cc198b255380c6d467fe8af0354a2c37f6e09f5ef1e434179b8a44d841e72
-
Filesize
1KB
MD5a14178c97b8f511fca89f6979bb246a0
SHA14b86de33e600bd686b2e400bb16c7500b1d66c50
SHA25622d55fa68c58bc664159595714489c200a331b8a65356e31760ef113aac4b51d
SHA5126e4565dc6c7e200f732053a58a30ab32bcad32dcbff378750ad61cf7d76e92986dc05a687bdca35979f3bacc841aa438849452a27eeae2657e7dc4ea7b74c507
-
Filesize
1KB
MD5148e4e2324985b8a0cf893532a24a04f
SHA132b1e78bf6281d2f062fbfa1e4aebc1584dc70c5
SHA2563a3a2f02204d44a922ab5d3ccbf75ef78602947798e8a2ee9174217d528060b7
SHA512c1fe194c54b17bf92f6e4b0d11ae2005aa9322ffd23678369d848765f8ff90f36f557ee2acb9a89bff7f293bab8be2d741e57632aa6f9a0a33f4a9fafff5d637
-
Filesize
1KB
MD59d019acdf73bf5b6c6fb2f7df2c98e0b
SHA1c977dad6432dfb11a22a94c54a203ff169a3f72d
SHA2568017eb4be2e26def0922375f6eb3601ac6ebdcc9147b5c36fe0a291c75638bd9
SHA51236a7bb8206d6ee201ab1e87df541ddebd70175b3ad261ea11a65a059ee86333d8b7ab479f7636f9b24603ed31d9e5499baeebd8347919c05228ba043f992374a
-
Filesize
1KB
MD586e0d68d9d6d7b335a14e15aeaa28b19
SHA1fc35ea18d315c1c11e04ed8f3613daa3b676accd
SHA25602e7f10f0a8a6f0e4c3f88a10b95cdfdac9b91b7901e657abbad6f735426348c
SHA5126080c6dc6eb842851ed73026a5c99e44065cb3ab86ee98899c8c047f58298187654a619620a19f0863c6ddeba05eb662cb4e8e1f81c73df12b2bab4cb7c57164
-
Filesize
1KB
MD50bc871c01ba4913a3c940f9e04b450a9
SHA148b505d9de64521f13974b7951a52c7f0d4ef245
SHA2563769cd33434836e71049077ca2c6599b77edd79c6ebca0ec00d07fbbefbe0899
SHA51260983e474120ed70a026546a003026d0f5f2b00f2d7ee8bf7d84551f1508088cc87f63f95691edc2ab03926355b6d30e8e1e15954cbf3a12e92eb1c17c3fbdb0
-
Filesize
1KB
MD548515ce3f1de300b7e174033cd158962
SHA1cea7d1347f6694f361d0c3dbb9c3691b05b2674d
SHA256655184f51253b284dceb4c28e9ec711baf29a8cd22c66876f1c0f78e24f5e2ce
SHA512f18d604204e6c5c67343b3257f00c93d6666502bded55843b4da86f81a9779c04c68dda1fac904839de50898fdd6171b50c9d2c60d4fba20bcd522e915b9a6da
-
Filesize
1KB
MD5c70add2a23683eec195d6775b61879f0
SHA1b6b5f87e69223a3d891b830347dc5670720ed0a5
SHA256896dd231ba91b6bc4f33ca52fd6a93009acee196bcd28eb69da7c92c255f00d9
SHA51291210e86c76af2aeb90bdf979c7a1cf0a0279b72bfc18eb595357de51cd811664bf40f7bade9bf2e1e32725b93267be8643dc78bb6a0fc3c12273603d603b517
-
Filesize
2KB
MD55df9cc7a167a8711770e63f29cc69d16
SHA1312cc26407eada041f5310a62fd73b99fd03a240
SHA256ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf
SHA512bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d05c79b3a911738267c0114bbedf2b0b
SHA14203435749dc77088af85d27a33b3388535334e8
SHA256bc5f7a61ef86a57ee499f52a0da96e24ba4a1f9b4dca2fc2bc00e729ba0c8b91
SHA51297347741847d028ec2cf577195bd41012a2d2a94afef9c25b0f15f5f204491acb248e8ad05c25b60e6e8747f76286f3aa406f31710eeaa814b33ea5b27ee98d5