Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 13:09

General

  • Target

    DOC- 1000290099433.vbe

  • Size

    11KB

  • MD5

    1ba91d56988897f8677cc18f54ac7e13

  • SHA1

    1a51f7b8534c912b18053ac2371907f095128a93

  • SHA256

    7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f

  • SHA512

    192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f

  • SSDEEP

    192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2672
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C2323A0F-8494-4FB3-9AA8-0CD69536C105} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2644" "1228"
          4⤵
            PID:692
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "2928" "1244"
            4⤵
              PID:776
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1672
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1672" "1240"
              4⤵
                PID:2472
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:860
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "860" "1248"
                4⤵
                  PID:1608
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2476
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "2476" "1236"
                  4⤵
                    PID:2204
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1648
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "1648" "1252"
                    4⤵
                      PID:1696
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2340
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "2340" "1244"
                      4⤵
                        PID:2372

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259489957.txt

                  Filesize

                  1KB

                  MD5

                  07ac12a0ad78828a922e3ab37e46ba7f

                  SHA1

                  b31c2ab65226f2a49983802d08010e939885af87

                  SHA256

                  c215ecfbb18140c35d49f1b4a8f11c9e6a909cab8c75103b41cbaa837d53676c

                  SHA512

                  ab8fe197d686ebb5e1dd9f197d1523fb41459118b7c54bcd446f03dc7e806301e2247c2822c8f9cd7c40b06db907b54c94acd006e1c07dd35959475ff988e5e3

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509918.txt

                  Filesize

                  1KB

                  MD5

                  338c4b1806abd9eb3acde29828091024

                  SHA1

                  6ba97f6dfba32ed50f226d8dc8d90d34e2e1b83a

                  SHA256

                  88e66593c934949544139b91677371801646797f5759de9dc20e951204654311

                  SHA512

                  abc5cb450553bab02d8319da7bc8921a25f46563762517adbd0698f3ba57a97504b32cf636553867959da56044d90d1d25c68aef0c7d9ab4302972edf4c32d79

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259524132.txt

                  Filesize

                  1KB

                  MD5

                  63173d8cf4b7e7bdfb6e54cb61b83c2c

                  SHA1

                  788ccc87fd71c06667b73aff083baf3eaa626bd0

                  SHA256

                  50329e25e81194c01aa12dbbf8ed8ff3fc6304fb834f22940e36dbb4bdf17d64

                  SHA512

                  5b74d3c9f2ac9b227408eed5d510c03f797f1a9a353b96c3d0f8d9fc850dacf863fee341abc58676b7a7a1fd63fd5ec3593376030efb8621ef2f9d5d5983f3c8

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259537314.txt

                  Filesize

                  1KB

                  MD5

                  0261b0d18e4271aee7ad3ec8aa9ddd6c

                  SHA1

                  a1143b8ccbe2c0a139f9026740cbe24445e8841f

                  SHA256

                  b4c0b1761b60ab5a6bb2fff69b213ad0f6530bb9de66327b9a549f9aec074ed7

                  SHA512

                  8994e76790523db611202d17bffe610b704160470d6d97eff2e2c695450601dbe7552cf1c10ebb259bdcc00f308f95a403949720f13caec51b8718afa9c59b19

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259555177.txt

                  Filesize

                  1KB

                  MD5

                  ae04b129be4c5b5a69553d5068c5c56e

                  SHA1

                  6d1c4fb090a27e448898464339c9620715c0beee

                  SHA256

                  cccd428055c7de7081e53069782bbc06443b733ff7fa422905dcd17f4b94f7e7

                  SHA512

                  b89a0ec1e1960523e981c571cfef9f91f9a34d2e2b100933f4684107127d88610931bfee5cac972ba9e58b77c2aa064ebec33aeae48dd46ad97b5a72c4f6b78a

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259569553.txt

                  Filesize

                  1KB

                  MD5

                  e85f38d8cb5b483adf934579cd9da5df

                  SHA1

                  75c56025ab3bee2f5ab99a0c1104e7799acd6bfe

                  SHA256

                  f90f1b2e04c7871aa358a97f663dfed859e211861c790e313c96ea347f2563a5

                  SHA512

                  0eb7ab654234cf90c502a48c8789c935a7ab075e63b05d5e29113cc9c477c26a5dd8203d50a1ee451ce4a2fe6dae04fd131f922e7b4e0d30d09050031b284ed1

                • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259581055.txt

                  Filesize

                  1KB

                  MD5

                  eaaabeb878c67b06abe80cb39bf9a7c4

                  SHA1

                  9d761f31ddf56cf5a75d9a4bc6750595d9af0fef

                  SHA256

                  0b87360e61c752b8dddd090fab79dbe3e1d721a2e1357e7ce1c9841e9e5bfef1

                  SHA512

                  b39b5bd32a0ff836a87bdf48826b8e4930c328e2838c37e0242d28d80af992ca2a33e4e88a8f4091ce8a5ca929e1e82d985cce00d513b4e03c00852693a2a73a

                • C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs

                  Filesize

                  2KB

                  MD5

                  5df9cc7a167a8711770e63f29cc69d16

                  SHA1

                  312cc26407eada041f5310a62fd73b99fd03a240

                  SHA256

                  ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf

                  SHA512

                  bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                  Filesize

                  7KB

                  MD5

                  667d4fca8dbf6adc2957ea1071d65354

                  SHA1

                  a6dcc25a56a6df6503d5368069afaabb1bbe699b

                  SHA256

                  f5436f954c5fbe8793c68075fb04c07e018f91d25fe797d40ea6b873266b5e1a

                  SHA512

                  99f9895d9091bb7c02fbc8d06dd4cadcdf517468a7c7bc2b6a316db8a9afdf0c55822b939761bc328f6bf16ed3bcd4bd1a20d6d5cff16d3578ea9e78e0bfa908

                • memory/2644-8-0x0000000002960000-0x000000000296A000-memory.dmp

                  Filesize

                  40KB

                • memory/2644-7-0x0000000001F70000-0x0000000001F78000-memory.dmp

                  Filesize

                  32KB

                • memory/2644-6-0x000000001B740000-0x000000001BA22000-memory.dmp

                  Filesize

                  2.9MB

                • memory/2928-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                  Filesize

                  32KB

                • memory/2928-16-0x000000001B760000-0x000000001BA42000-memory.dmp

                  Filesize

                  2.9MB