6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab

Analysis

max time kernel
140s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab.vbe
Size

10KB
MD5

1bfbb8267511f5aa010a24eea8797445
SHA1

cdd1e3a4461537c7699ba7936612de22c86a39fc
SHA256

6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab
SHA512

32d8c347abb8335e50b16e19142d7cd7ea6922e064a15f3ba766015975ae3d2b062c8b82a7f6f97a3384762987c7d406bde4229b2976fb1c6d6d7aa1157323d9
SSDEEP

192:xzNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5WYleLMl/1uw5YOAxJ2HIK:FNElLAAKjBLf1UWobPlwMl/mcHp

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3004	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2772	powershell.exe
2772	powershell.exe
2528	powershell.exe
2528	powershell.exe
2036	powershell.exe
2036	powershell.exe
1616	powershell.exe
1616	powershell.exe
1864	powershell.exe
1864	powershell.exe
908	powershell.exe
908	powershell.exe
2348	powershell.exe
2348	powershell.exe
3008	powershell.exe
3008	powershell.exe
1852	powershell.exe
1852	powershell.exe
308	powershell.exe
308	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2960	1364	taskeng.exe	32
PID 1364 wrote to memory of 2960	1364	taskeng.exe	32
PID 1364 wrote to memory of 2960	1364	taskeng.exe	32
PID 2960 wrote to memory of 2772	2960	WScript.exe	34
PID 2960 wrote to memory of 2772	2960	WScript.exe	34
PID 2960 wrote to memory of 2772	2960	WScript.exe	34
PID 2772 wrote to memory of 2988	2772	powershell.exe	36
PID 2772 wrote to memory of 2988	2772	powershell.exe	36
PID 2772 wrote to memory of 2988	2772	powershell.exe	36
PID 2960 wrote to memory of 2528	2960	WScript.exe	37
PID 2960 wrote to memory of 2528	2960	WScript.exe	37
PID 2960 wrote to memory of 2528	2960	WScript.exe	37
PID 2528 wrote to memory of 1752	2528	powershell.exe	39
PID 2528 wrote to memory of 1752	2528	powershell.exe	39
PID 2528 wrote to memory of 1752	2528	powershell.exe	39
PID 2960 wrote to memory of 2036	2960	WScript.exe	40
PID 2960 wrote to memory of 2036	2960	WScript.exe	40
PID 2960 wrote to memory of 2036	2960	WScript.exe	40
PID 2036 wrote to memory of 1292	2036	powershell.exe	42
PID 2036 wrote to memory of 1292	2036	powershell.exe	42
PID 2036 wrote to memory of 1292	2036	powershell.exe	42
PID 2960 wrote to memory of 1616	2960	WScript.exe	43
PID 2960 wrote to memory of 1616	2960	WScript.exe	43
PID 2960 wrote to memory of 1616	2960	WScript.exe	43
PID 1616 wrote to memory of 2148	1616	powershell.exe	45
PID 1616 wrote to memory of 2148	1616	powershell.exe	45
PID 1616 wrote to memory of 2148	1616	powershell.exe	45
PID 2960 wrote to memory of 1864	2960	WScript.exe	46
PID 2960 wrote to memory of 1864	2960	WScript.exe	46
PID 2960 wrote to memory of 1864	2960	WScript.exe	46
PID 1864 wrote to memory of 1604	1864	powershell.exe	48
PID 1864 wrote to memory of 1604	1864	powershell.exe	48
PID 1864 wrote to memory of 1604	1864	powershell.exe	48
PID 2960 wrote to memory of 908	2960	WScript.exe	49
PID 2960 wrote to memory of 908	2960	WScript.exe	49
PID 2960 wrote to memory of 908	2960	WScript.exe	49
PID 908 wrote to memory of 2484	908	powershell.exe	51
PID 908 wrote to memory of 2484	908	powershell.exe	51
PID 908 wrote to memory of 2484	908	powershell.exe	51
PID 2960 wrote to memory of 2348	2960	WScript.exe	53
PID 2960 wrote to memory of 2348	2960	WScript.exe	53
PID 2960 wrote to memory of 2348	2960	WScript.exe	53
PID 2348 wrote to memory of 2004	2348	powershell.exe	55
PID 2348 wrote to memory of 2004	2348	powershell.exe	55
PID 2348 wrote to memory of 2004	2348	powershell.exe	55
PID 2960 wrote to memory of 3008	2960	WScript.exe	56
PID 2960 wrote to memory of 3008	2960	WScript.exe	56
PID 2960 wrote to memory of 3008	2960	WScript.exe	56
PID 3008 wrote to memory of 2536	3008	powershell.exe	58
PID 3008 wrote to memory of 2536	3008	powershell.exe	58
PID 3008 wrote to memory of 2536	3008	powershell.exe	58
PID 2960 wrote to memory of 1852	2960	WScript.exe	59
PID 2960 wrote to memory of 1852	2960	WScript.exe	59
PID 2960 wrote to memory of 1852	2960	WScript.exe	59
PID 1852 wrote to memory of 3032	1852	powershell.exe	61
PID 1852 wrote to memory of 3032	1852	powershell.exe	61
PID 1852 wrote to memory of 3032	1852	powershell.exe	61
PID 2960 wrote to memory of 308	2960	WScript.exe	62
PID 2960 wrote to memory of 308	2960	WScript.exe	62
PID 2960 wrote to memory of 308	2960	WScript.exe	62
PID 308 wrote to memory of 1964	308	powershell.exe	64
PID 308 wrote to memory of 1964	308	powershell.exe	64
PID 308 wrote to memory of 1964	308	powershell.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab.vbe"
1⤵
- Blocklisted process makes network request
PID:3004

C:\Windows\system32\taskeng.exe
taskeng.exe {66647590-9B10-45DD-9BBF-CA8BCB60F104} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2772" "1244"
      4⤵
      PID:2988
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2528" "1236"
      4⤵
      PID:1752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2036" "1248"
      4⤵
      PID:1292
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1616" "1248"
      4⤵
      PID:2148
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1864" "1232"
      4⤵
      PID:1604
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "908" "1240"
      4⤵
      PID:2484
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2348" "1248"
      4⤵
      PID:2004
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3008" "1240"
      4⤵
      PID:2536
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1852" "1244"
      4⤵
      PID:3032
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:308
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "308" "1236"
      4⤵
      PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259449703.txt

Filesize
1KB

MD5
1922d0be5a493bc6ecb8761073671f66

SHA1
94c610a61323738460ca704c471a2520a6eba040

SHA256
44d91b2c2fafa8546428b22408fcdec14948e9857514eed6b18f90d853d647a7

SHA512
35409523ee15197c7531ae4041938fcd44681fe7550ba3dd6b924daa699a2303780db1a08513238029e751c6a9761ff9ceae9110abd95e00548e6390cc7705ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259468125.txt

Filesize
1KB

MD5
4521d67d35a418f4e40f65fea7b46be3

SHA1
021ca9f26c610bc71921c77457fc6b85327d9469

SHA256
30464fe82c0d1a0e8473434f440f991733f1667f3bf5c946d3566bcdae923aa2

SHA512
da5e94601324d14a2d9221b5de9fb37dda5c2ecd34ea4d737a5ab115cb9f71354c78d437f8f4603d099e5c36b0157cf840a945f1af86213ace5e61e6ed95068f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259480175.txt

Filesize
1KB

MD5
8c0cbe40bf355a4754b3c874315c13c1

SHA1
2930bd159a9452fe10d373cdb6f2802f12c7951e

SHA256
99c8a14c127225bf108c2c116573f9ed1d41a77040bf29058856ab1ce93c807c

SHA512
978f87a42f1391f7d6914785feb176cc3e48f431050179a09ec3f083f6934e3f946a6717e8a327e81f7cfa777df4ea1b3628fdedbc1d17eb5e5865ab23f6aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259497688.txt

Filesize
1KB

MD5
be54647bb41c5256d106d94ad7c147ad

SHA1
9a5ea0d61553f43831c64c660ff1280fce90b883

SHA256
67823f7551053ab08ca64e52f24b0a33a704aab8ab21cc4e7b931d9386f1fdb9

SHA512
7ffaae9351e37d7ae7bba190a719f9576f3867e212f3b0f398ac305e2da468268eff7ab491bc5e4c29d51993d2403c0246e732a3745cc2ecdd6e7b5ff9036739

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259511466.txt

Filesize
1KB

MD5
a5737c80874533f94f6ba40bf3d9d9d4

SHA1
23b555acafedc18b2a8021637161b975b0558f42

SHA256
f767dddc7b4c7df8e1eb03839dd68adadcffdbc7387bb9bfb034df990749d0d5

SHA512
4e6ddff24c0d53ef4a848e10f2f84f2adbebc47bb3a907cb7ffc7f8c65a13d675423e3d2dfdcf38fc4b6e1decf3c54c7d690f8959d64c547f3193c2843ff4f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259525987.txt

Filesize
1KB

MD5
0ffe98f4d1df3ce48192ccb3df83d94d

SHA1
be6dc3d7c5c98fdc43d7642bb509ff04f439ad6d

SHA256
8907779f4fbf15786b0222e99303f04d7606bd31be59ccf387d363ebe3ed1b3b

SHA512
5960c0fd7f388df8866e9e7234e46b890501e21aaa2b60a907efc04d32fcf47617296f6862d8cbaa199a52e30d6c2ada0b63fe41a3edb0b7379d3f93f3d5753d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259539751.txt

Filesize
1KB

MD5
18d39c0ad190b71d578b64a3188e19af

SHA1
b7672bc764c01c3cbf8881e9a67c1dc74de8fc0d

SHA256
980d0eeddf4747bd8c384748bb5fb1cdb0da37a89da597fc8d0f2263b4740eff

SHA512
16376aa8f19f134136bb57e100578800bf3e35417e1cfc5aeb055f0566f29bda86413e27b89c55887fcb39d596746a395b855f00530982c7a226446822224dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559224.txt

Filesize
1KB

MD5
f4376584b7321c71c6322512c497de68

SHA1
6b0e3ef000c3f4d99b88c05c13999300568b0c16

SHA256
758b7ad0232bdd3355d532a6304ef67e9b9e0222ad08ca458176e8125e57820d

SHA512
251cda7b6a945aff0b80c9cbbcef628b3f952550914f666dcc50713e401e8c67abeb129dc586e7da6a720f7acb1c2816616642eb64cb76ab8a54d41bdce3e27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259573519.txt

Filesize
1KB

MD5
6f9b8dbb91402596b00dab7372dc4b0c

SHA1
299823ff09f0b52cffbfbf95d922511f5db7918c

SHA256
2a5131225936edccdff715a61087a085f10e9626c186e1aec57c3ae76eb9cdfa

SHA512
47e0b2c2f65bb1fd4fcee49bbe1e744e4c908ae04929f70857c079c6efc4b546a35c851dba05bb4980932037a122f9cc346ba096b1e5601941ab244be6a2f2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259586597.txt

Filesize
1KB

MD5
30d35a165447fb5f1bd540f800697ee3

SHA1
d413f3743e2b20870ec33628639ecebeed1adfca

SHA256
58776ad0bb0e8da96130980920cb6d4f0ccabbd76c488b69659a30c2dfd1c121

SHA512
3b7087233dfe971df71f7c29d335284447dfbf263c2964835f7462ba38ed81830a81b37e41dffabcf42cd0c07fecb7b5982b3fc65b27f6f4b749da176738b9b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
09f8cbf6850f73284d47c1eb85407b6f

SHA1
55b68365588d2b929ce0cf64de93e2c6bbcd44f2

SHA256
3ae45a56284789af456023ff7960ff75836b4c2bac9668a7d79784c18a602435

SHA512
50d77934b7999baa23b2b988cf46e9621478c9920bc845e41bd94c59351a569507727115aa814b7a63c9433ed80b9463d3d7b499467a97bc1538e352de7a26ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C3H02FB9H124JLNS7ILH.temp

Filesize
7KB

MD5
ca2a58a37aa1b444bae123ed0dae5e35

SHA1
e9713a30c87ae17b9b1e24b5cab5d6befa8b090e

SHA256
d40c3e99c09dce9d7bb89872e37015af6ea06c6cff3b4fbbe494ed7b46f0b1a9

SHA512
a64ad680bc7853084a70c5b35b8848f5fe102f590bfffe7fa3e43c588eee87de7eb34c06328717e938bce3663f2303f0e4b01235fa6870a8d922b6d266033f77

Download Submit
C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs

Filesize
2KB

MD5
25081523b6bad63a6a500c519275b1ea

SHA1
a30fbcf4955cca68a5a2e459a9e7e7aa63461780

SHA256
a4eba77734c0262a5ff039848fccd63609a96dab352b13fb608c1167e41e8b70

SHA512
9befb54290eaad6eb34f16f6dc21cd6f7b003ab2dba664b71cc40d2beda2d6af7f42a5b6e4a8eb1b08445ff6ebd7a9f9cae7140e2826706ea4839fe5f4415914

Download Submit
memory/2528-18-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2528-17-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-6-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2772-7-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2772-8-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

Filesize
40KB

Download