fff98841c98deece190fd246ae5898b5b94d48cddf91039182c813f07cef63fd

Analysis

max time kernel
143s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC- 1000290099433.vbe
Size

11KB
MD5

1ba91d56988897f8677cc18f54ac7e13
SHA1

1a51f7b8534c912b18053ac2371907f095128a93
SHA256

7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f
SHA512

192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f
SSDEEP

192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1768	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2876	powershell.exe
2876	powershell.exe
2000	powershell.exe
2000	powershell.exe
1600	powershell.exe
1600	powershell.exe
2444	powershell.exe
2444	powershell.exe
2156	powershell.exe
2156	powershell.exe
1468	powershell.exe
1468	powershell.exe
1512	powershell.exe
1512	powershell.exe
1952	powershell.exe
1952	powershell.exe
2728	powershell.exe
2728	powershell.exe
2620	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2936	2432	taskeng.exe	31
PID 2432 wrote to memory of 2936	2432	taskeng.exe	31
PID 2432 wrote to memory of 2936	2432	taskeng.exe	31
PID 2936 wrote to memory of 2876	2936	WScript.exe	33
PID 2936 wrote to memory of 2876	2936	WScript.exe	33
PID 2936 wrote to memory of 2876	2936	WScript.exe	33
PID 2876 wrote to memory of 2716	2876	powershell.exe	35
PID 2876 wrote to memory of 2716	2876	powershell.exe	35
PID 2876 wrote to memory of 2716	2876	powershell.exe	35
PID 2936 wrote to memory of 2000	2936	WScript.exe	36
PID 2936 wrote to memory of 2000	2936	WScript.exe	36
PID 2936 wrote to memory of 2000	2936	WScript.exe	36
PID 2000 wrote to memory of 2620	2000	powershell.exe	38
PID 2000 wrote to memory of 2620	2000	powershell.exe	38
PID 2000 wrote to memory of 2620	2000	powershell.exe	38
PID 2936 wrote to memory of 1600	2936	WScript.exe	39
PID 2936 wrote to memory of 1600	2936	WScript.exe	39
PID 2936 wrote to memory of 1600	2936	WScript.exe	39
PID 1600 wrote to memory of 1320	1600	powershell.exe	41
PID 1600 wrote to memory of 1320	1600	powershell.exe	41
PID 1600 wrote to memory of 1320	1600	powershell.exe	41
PID 2936 wrote to memory of 2444	2936	WScript.exe	42
PID 2936 wrote to memory of 2444	2936	WScript.exe	42
PID 2936 wrote to memory of 2444	2936	WScript.exe	42
PID 2444 wrote to memory of 1612	2444	powershell.exe	44
PID 2444 wrote to memory of 1612	2444	powershell.exe	44
PID 2444 wrote to memory of 1612	2444	powershell.exe	44
PID 2936 wrote to memory of 2156	2936	WScript.exe	45
PID 2936 wrote to memory of 2156	2936	WScript.exe	45
PID 2936 wrote to memory of 2156	2936	WScript.exe	45
PID 2156 wrote to memory of 832	2156	powershell.exe	47
PID 2156 wrote to memory of 832	2156	powershell.exe	47
PID 2156 wrote to memory of 832	2156	powershell.exe	47
PID 2936 wrote to memory of 1468	2936	WScript.exe	48
PID 2936 wrote to memory of 1468	2936	WScript.exe	48
PID 2936 wrote to memory of 1468	2936	WScript.exe	48
PID 1468 wrote to memory of 2236	1468	powershell.exe	50
PID 1468 wrote to memory of 2236	1468	powershell.exe	50
PID 1468 wrote to memory of 2236	1468	powershell.exe	50
PID 2936 wrote to memory of 1512	2936	WScript.exe	51
PID 2936 wrote to memory of 1512	2936	WScript.exe	51
PID 2936 wrote to memory of 1512	2936	WScript.exe	51
PID 1512 wrote to memory of 2140	1512	powershell.exe	53
PID 1512 wrote to memory of 2140	1512	powershell.exe	53
PID 1512 wrote to memory of 2140	1512	powershell.exe	53
PID 2936 wrote to memory of 1952	2936	WScript.exe	54
PID 2936 wrote to memory of 1952	2936	WScript.exe	54
PID 2936 wrote to memory of 1952	2936	WScript.exe	54
PID 1952 wrote to memory of 108	1952	powershell.exe	56
PID 1952 wrote to memory of 108	1952	powershell.exe	56
PID 1952 wrote to memory of 108	1952	powershell.exe	56
PID 2936 wrote to memory of 2728	2936	WScript.exe	57
PID 2936 wrote to memory of 2728	2936	WScript.exe	57
PID 2936 wrote to memory of 2728	2936	WScript.exe	57
PID 2728 wrote to memory of 1900	2728	powershell.exe	59
PID 2728 wrote to memory of 1900	2728	powershell.exe	59
PID 2728 wrote to memory of 1900	2728	powershell.exe	59
PID 2936 wrote to memory of 2620	2936	WScript.exe	60
PID 2936 wrote to memory of 2620	2936	WScript.exe	60
PID 2936 wrote to memory of 2620	2936	WScript.exe	60
PID 2620 wrote to memory of 2080	2620	powershell.exe	62
PID 2620 wrote to memory of 2080	2620	powershell.exe	62
PID 2620 wrote to memory of 2080	2620	powershell.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"
1⤵
- Blocklisted process makes network request
PID:1768

C:\Windows\system32\taskeng.exe
taskeng.exe {9EC9106D-3B25-46A3-9291-DB6DED08B83D} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2876" "1240"
      4⤵
      PID:2716
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2000" "1240"
      4⤵
      PID:2620
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1600" "1248"
      4⤵
      PID:1320
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2444" "1236"
      4⤵
      PID:1612
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2156" "1248"
      4⤵
      PID:832
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1468" "1240"
      4⤵
      PID:2236
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1512" "1248"
      4⤵
      PID:2140
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1952" "1236"
      4⤵
      PID:108
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2728" "1244"
      4⤵
      PID:1900
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2620" "1236"
      4⤵
      PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259513694.txt

Filesize
1KB

MD5
1a122730c59a4b1aff97f12ae156e379

SHA1
636c0f32cf2d946c315cccb1fb9819f9e575f6e4

SHA256
5464f68e62ef0025d18942bf6e6a8d240d8fa691605d8ded4d31de1d86104a56

SHA512
44800a04f4f56f80ef48f20f2fc9d41affb1035b25ef9a1da11f7ffe32a256dc2a68c6ba872bc29a910ce449b37d5391b707684433585bcf3db571667479f055

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259528335.txt

Filesize
1KB

MD5
ec91acafaea32e1cbd073a7873c11d97

SHA1
ede7448be5949d5dcf95624a14c226f22e6f9d7c

SHA256
3d61dd22cbfe7fc2d04a53e5d7660009e436e05e25b866f8e56c2f5355ab889c

SHA512
21e3c10c08c695ffac0bc16b4cd7525bd8fc1591361b13bc9c5ffbf17bc2baa8e20e6a2783b1b6c4e7146721379e62cf4f4d1844fb353a74a81832592b547038

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259542481.txt

Filesize
1KB

MD5
bff1658746e7f306b98b7bbee3100f25

SHA1
c90da4a994520622d156f0dd48bfaacca52c5c24

SHA256
aa04627d58f85ee8edfdea543c461b5020a06e4836e355c8ca1ac773f9d19b04

SHA512
23dc9235e83edb1d6c94c5383f1d4532c10ae9d5f2d5b6b4e77008605dd90ea1cbf42c948c3e36def6ebb4936cd6dd6963cdae04f383f7e0928354050e542801

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559047.txt

Filesize
1KB

MD5
3a55829295426a57d7a9dcbb278b4e81

SHA1
959903760cfd2d755caffaf91d4ed51e08a43eab

SHA256
bf0144f3d1387edfb93d870f1fecf8c493ca44b0c7c392d9f02a30f2cfd4213c

SHA512
b998019b8c1e4d2a784a3f410a2641ab84210fb5cda1346ea55df36d2177e6e1931ffd921628af1c2cc2d78eeee1ac0c0f2613f21846d737886abc6ff61ac504

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259574262.txt

Filesize
1KB

MD5
0f609b0d8a31783e6cfa431d9d8043ee

SHA1
b9e6cd3b671a0d58d752e69d5eb948b9fff88ff7

SHA256
724c16dfda5b1d7605f2a6129a895559d00b844fff29852aec9227b9e4f86e3e

SHA512
dda3784ca5b6b306d6158016af2a8553086e6d7758da0803ef1bd3150518e8cc70461665028874b137ce2a04e5ee397f4114b55a7bf3219beb4535b9bf91e150

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259586216.txt

Filesize
1KB

MD5
e9a4dc57278c14ba277b630fbd2aeba1

SHA1
679207ed4dd22cc776e9a7dc59909d711012aba8

SHA256
7747fc9b1b2f2c8e39f9e216f5d22f189dbefc0ff3965c6604005801e9e5f220

SHA512
4ab7371a58e9b4b1b133d02b9466a8b1edffffd7ae004d2e413097a1b2d2eaef4b022d8d4dfaace12b1814bec61f65fcc2450f7f77d0aef31af32e39f04da958

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259600972.txt

Filesize
1KB

MD5
ae3701a96a90a92d27621e115ad67d7a

SHA1
33e677550260f225ca62299b27529e79935a13dd

SHA256
0ebf26aff7ae7665ab86911e9e3164a14878eb9b1918fb143b11e465419cb0f0

SHA512
dcbad1434fcb0c4bf5e2489bb7419700cc4a836a6850b519c49f937232e7034abac1bf6f8abc9f86c4011aa1803ce3b0d06e471e7242f5d240cb20c2d7894992

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259617966.txt

Filesize
1KB

MD5
c32fa1b9ae1c9f8171b69a1b9a541889

SHA1
2402ed54d1ef0bb3ef7e6cc9570ace2512c50104

SHA256
226ed446c448455b32ea6dac97606b58a145325ba446f2229a58f0061cbd71c8

SHA512
7b3982bc23326d1e1ac040ea0fd9945916f17227868653b2987ccb63efcd433c274fde9c35037360b7ad465216a63fc5154783a24268c69e0adaa5a75ea6a8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259630258.txt

Filesize
1KB

MD5
097f73fcdfeb29542e07d969c7756950

SHA1
713be5978500f0c3be40a02c8c4d1026c382df77

SHA256
9e9108e3ff59d4b5e3d41e85540bf7966a47f792e293977ad1ea7a9febfe32a6

SHA512
6f4dc63a445c26b4a37d63131a14030b4768bf3032da7ca0bf8d12b3842b616055fe60c6f2578d8332f35f5fa6f073b0bd74fdfcd3bf22c574fca0b89c21c134

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259646197.txt

Filesize
1KB

MD5
1112872995dce2c83cc51f6ebee0b671

SHA1
836300a304ac5cd8dd05b781e3438a2abfb3eecd

SHA256
1a638efa8bf3e7c57f26786ab7cfb8d67e1ebb1cd2980d00f7e97c69175d0f39

SHA512
e0848596c89b427283bab9813cd5c520921d8e4a305468db9c9dc9bf7b4b15227d865dd738862baa621af039bdb94f0517320516c3e298a7a5ef19cfe8cca6a0

Download Submit
C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs

Filesize
2KB

MD5
5df9cc7a167a8711770e63f29cc69d16

SHA1
312cc26407eada041f5310a62fd73b99fd03a240

SHA256
ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf

SHA512
bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ebae0b36ad7679dcfac83a4cf4a30af0

SHA1
a0b57dfbf867dc48dc9e06c3868c3dbc9fe039ad

SHA256
42a544482fb2655a946f3b346b71ba534f77c97766954bc1a489f7494c9a235e

SHA512
71352472e6236475787bc6638473f45eba5cc7d1660be998bf62521974103c20865ff306cf7f201dd68e8740abef0a73052e72f77a328e3cec01b0bc2279516c

Download Submit
memory/2000-18-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2000-17-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2876-6-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2876-7-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2876-8-0x0000000002920000-0x000000000292A000-memory.dmp

Filesize
40KB

Download