Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 13:09
Static task
static1
Behavioral task
behavioral1
Sample
DOC- 1000290099433.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DOC- 1000290099433.vbe
Resource
win10v2004-20240802-en
General
-
Target
DOC- 1000290099433.vbe
-
Size
11KB
-
MD5
1ba91d56988897f8677cc18f54ac7e13
-
SHA1
1a51f7b8534c912b18053ac2371907f095128a93
-
SHA256
7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f
-
SHA512
192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f
-
SSDEEP
192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2672 WScript.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2644 powershell.exe 2644 powershell.exe 2928 powershell.exe 2928 powershell.exe 1672 powershell.exe 1672 powershell.exe 860 powershell.exe 860 powershell.exe 2476 powershell.exe 2476 powershell.exe 1648 powershell.exe 1648 powershell.exe 2340 powershell.exe 2340 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 1672 powershell.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2892 2848 taskeng.exe 32 PID 2848 wrote to memory of 2892 2848 taskeng.exe 32 PID 2848 wrote to memory of 2892 2848 taskeng.exe 32 PID 2892 wrote to memory of 2644 2892 WScript.exe 34 PID 2892 wrote to memory of 2644 2892 WScript.exe 34 PID 2892 wrote to memory of 2644 2892 WScript.exe 34 PID 2644 wrote to memory of 692 2644 powershell.exe 36 PID 2644 wrote to memory of 692 2644 powershell.exe 36 PID 2644 wrote to memory of 692 2644 powershell.exe 36 PID 2892 wrote to memory of 2928 2892 WScript.exe 37 PID 2892 wrote to memory of 2928 2892 WScript.exe 37 PID 2892 wrote to memory of 2928 2892 WScript.exe 37 PID 2928 wrote to memory of 776 2928 powershell.exe 39 PID 2928 wrote to memory of 776 2928 powershell.exe 39 PID 2928 wrote to memory of 776 2928 powershell.exe 39 PID 2892 wrote to memory of 1672 2892 WScript.exe 40 PID 2892 wrote to memory of 1672 2892 WScript.exe 40 PID 2892 wrote to memory of 1672 2892 WScript.exe 40 PID 1672 wrote to memory of 2472 1672 powershell.exe 42 PID 1672 wrote to memory of 2472 1672 powershell.exe 42 PID 1672 wrote to memory of 2472 1672 powershell.exe 42 PID 2892 wrote to memory of 860 2892 WScript.exe 43 PID 2892 wrote to memory of 860 2892 WScript.exe 43 PID 2892 wrote to memory of 860 2892 WScript.exe 43 PID 860 wrote to memory of 1608 860 powershell.exe 45 PID 860 wrote to memory of 1608 860 powershell.exe 45 PID 860 wrote to memory of 1608 860 powershell.exe 45 PID 2892 wrote to memory of 2476 2892 WScript.exe 46 PID 2892 wrote to memory of 2476 2892 WScript.exe 46 PID 2892 wrote to memory of 2476 2892 WScript.exe 46 PID 2476 wrote to memory of 2204 2476 powershell.exe 48 PID 2476 wrote to memory of 2204 2476 powershell.exe 48 PID 2476 wrote to memory of 2204 2476 powershell.exe 48 PID 2892 wrote to memory of 1648 2892 WScript.exe 49 PID 2892 wrote to memory of 1648 2892 WScript.exe 49 PID 2892 wrote to memory of 1648 2892 WScript.exe 49 PID 1648 wrote to memory of 1696 1648 powershell.exe 51 PID 1648 wrote to memory of 1696 1648 powershell.exe 51 PID 1648 wrote to memory of 1696 1648 powershell.exe 51 PID 2892 wrote to memory of 2340 2892 WScript.exe 52 PID 2892 wrote to memory of 2340 2892 WScript.exe 52 PID 2892 wrote to memory of 2340 2892 WScript.exe 52 PID 2340 wrote to memory of 2372 2340 powershell.exe 54 PID 2340 wrote to memory of 2372 2340 powershell.exe 54 PID 2340 wrote to memory of 2372 2340 powershell.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"1⤵
- Blocklisted process makes network request
PID:2672
-
C:\Windows\system32\taskeng.exetaskeng.exe {C2323A0F-8494-4FB3-9AA8-0CD69536C105} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2644" "1228"4⤵PID:692
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2928" "1244"4⤵PID:776
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1672" "1240"4⤵PID:2472
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "860" "1248"4⤵PID:1608
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2476" "1236"4⤵PID:2204
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1648" "1252"4⤵PID:1696
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2340" "1244"4⤵PID:2372
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD507ac12a0ad78828a922e3ab37e46ba7f
SHA1b31c2ab65226f2a49983802d08010e939885af87
SHA256c215ecfbb18140c35d49f1b4a8f11c9e6a909cab8c75103b41cbaa837d53676c
SHA512ab8fe197d686ebb5e1dd9f197d1523fb41459118b7c54bcd446f03dc7e806301e2247c2822c8f9cd7c40b06db907b54c94acd006e1c07dd35959475ff988e5e3
-
Filesize
1KB
MD5338c4b1806abd9eb3acde29828091024
SHA16ba97f6dfba32ed50f226d8dc8d90d34e2e1b83a
SHA25688e66593c934949544139b91677371801646797f5759de9dc20e951204654311
SHA512abc5cb450553bab02d8319da7bc8921a25f46563762517adbd0698f3ba57a97504b32cf636553867959da56044d90d1d25c68aef0c7d9ab4302972edf4c32d79
-
Filesize
1KB
MD563173d8cf4b7e7bdfb6e54cb61b83c2c
SHA1788ccc87fd71c06667b73aff083baf3eaa626bd0
SHA25650329e25e81194c01aa12dbbf8ed8ff3fc6304fb834f22940e36dbb4bdf17d64
SHA5125b74d3c9f2ac9b227408eed5d510c03f797f1a9a353b96c3d0f8d9fc850dacf863fee341abc58676b7a7a1fd63fd5ec3593376030efb8621ef2f9d5d5983f3c8
-
Filesize
1KB
MD50261b0d18e4271aee7ad3ec8aa9ddd6c
SHA1a1143b8ccbe2c0a139f9026740cbe24445e8841f
SHA256b4c0b1761b60ab5a6bb2fff69b213ad0f6530bb9de66327b9a549f9aec074ed7
SHA5128994e76790523db611202d17bffe610b704160470d6d97eff2e2c695450601dbe7552cf1c10ebb259bdcc00f308f95a403949720f13caec51b8718afa9c59b19
-
Filesize
1KB
MD5ae04b129be4c5b5a69553d5068c5c56e
SHA16d1c4fb090a27e448898464339c9620715c0beee
SHA256cccd428055c7de7081e53069782bbc06443b733ff7fa422905dcd17f4b94f7e7
SHA512b89a0ec1e1960523e981c571cfef9f91f9a34d2e2b100933f4684107127d88610931bfee5cac972ba9e58b77c2aa064ebec33aeae48dd46ad97b5a72c4f6b78a
-
Filesize
1KB
MD5e85f38d8cb5b483adf934579cd9da5df
SHA175c56025ab3bee2f5ab99a0c1104e7799acd6bfe
SHA256f90f1b2e04c7871aa358a97f663dfed859e211861c790e313c96ea347f2563a5
SHA5120eb7ab654234cf90c502a48c8789c935a7ab075e63b05d5e29113cc9c477c26a5dd8203d50a1ee451ce4a2fe6dae04fd131f922e7b4e0d30d09050031b284ed1
-
Filesize
1KB
MD5eaaabeb878c67b06abe80cb39bf9a7c4
SHA19d761f31ddf56cf5a75d9a4bc6750595d9af0fef
SHA2560b87360e61c752b8dddd090fab79dbe3e1d721a2e1357e7ce1c9841e9e5bfef1
SHA512b39b5bd32a0ff836a87bdf48826b8e4930c328e2838c37e0242d28d80af992ca2a33e4e88a8f4091ce8a5ca929e1e82d985cce00d513b4e03c00852693a2a73a
-
Filesize
2KB
MD55df9cc7a167a8711770e63f29cc69d16
SHA1312cc26407eada041f5310a62fd73b99fd03a240
SHA256ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf
SHA512bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5667d4fca8dbf6adc2957ea1071d65354
SHA1a6dcc25a56a6df6503d5368069afaabb1bbe699b
SHA256f5436f954c5fbe8793c68075fb04c07e018f91d25fe797d40ea6b873266b5e1a
SHA51299f9895d9091bb7c02fbc8d06dd4cadcdf517468a7c7bc2b6a316db8a9afdf0c55822b939761bc328f6bf16ed3bcd4bd1a20d6d5cff16d3578ea9e78e0bfa908