Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 11:57
Static task
static1
Behavioral task
behavioral1
Sample
6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab.vbe
Resource
win10v2004-20240802-en
General
-
Target
6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab.vbe
-
Size
10KB
-
MD5
1bfbb8267511f5aa010a24eea8797445
-
SHA1
cdd1e3a4461537c7699ba7936612de22c86a39fc
-
SHA256
6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab
-
SHA512
32d8c347abb8335e50b16e19142d7cd7ea6922e064a15f3ba766015975ae3d2b062c8b82a7f6f97a3384762987c7d406bde4229b2976fb1c6d6d7aa1157323d9
-
SSDEEP
192:xzNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5WYleLMl/1uw5YOAxJ2HIK:FNElLAAKjBLf1UWobPlwMl/mcHp
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2280 WScript.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2128 powershell.exe 2128 powershell.exe 592 powershell.exe 592 powershell.exe 2404 powershell.exe 2404 powershell.exe 960 powershell.exe 960 powershell.exe 2996 powershell.exe 2996 powershell.exe 1516 powershell.exe 1516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 960 powershell.exe Token: SeDebugPrivilege 2996 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2120 wrote to memory of 1964 2120 taskeng.exe 32 PID 2120 wrote to memory of 1964 2120 taskeng.exe 32 PID 2120 wrote to memory of 1964 2120 taskeng.exe 32 PID 1964 wrote to memory of 2128 1964 WScript.exe 34 PID 1964 wrote to memory of 2128 1964 WScript.exe 34 PID 1964 wrote to memory of 2128 1964 WScript.exe 34 PID 2128 wrote to memory of 1312 2128 powershell.exe 36 PID 2128 wrote to memory of 1312 2128 powershell.exe 36 PID 2128 wrote to memory of 1312 2128 powershell.exe 36 PID 1964 wrote to memory of 592 1964 WScript.exe 38 PID 1964 wrote to memory of 592 1964 WScript.exe 38 PID 1964 wrote to memory of 592 1964 WScript.exe 38 PID 592 wrote to memory of 3016 592 powershell.exe 40 PID 592 wrote to memory of 3016 592 powershell.exe 40 PID 592 wrote to memory of 3016 592 powershell.exe 40 PID 1964 wrote to memory of 2404 1964 WScript.exe 41 PID 1964 wrote to memory of 2404 1964 WScript.exe 41 PID 1964 wrote to memory of 2404 1964 WScript.exe 41 PID 2404 wrote to memory of 1940 2404 powershell.exe 43 PID 2404 wrote to memory of 1940 2404 powershell.exe 43 PID 2404 wrote to memory of 1940 2404 powershell.exe 43 PID 1964 wrote to memory of 960 1964 WScript.exe 44 PID 1964 wrote to memory of 960 1964 WScript.exe 44 PID 1964 wrote to memory of 960 1964 WScript.exe 44 PID 960 wrote to memory of 1816 960 powershell.exe 46 PID 960 wrote to memory of 1816 960 powershell.exe 46 PID 960 wrote to memory of 1816 960 powershell.exe 46 PID 1964 wrote to memory of 2996 1964 WScript.exe 47 PID 1964 wrote to memory of 2996 1964 WScript.exe 47 PID 1964 wrote to memory of 2996 1964 WScript.exe 47 PID 2996 wrote to memory of 2276 2996 powershell.exe 49 PID 2996 wrote to memory of 2276 2996 powershell.exe 49 PID 2996 wrote to memory of 2276 2996 powershell.exe 49 PID 1964 wrote to memory of 1516 1964 WScript.exe 50 PID 1964 wrote to memory of 1516 1964 WScript.exe 50 PID 1964 wrote to memory of 1516 1964 WScript.exe 50 PID 1516 wrote to memory of 1932 1516 powershell.exe 52 PID 1516 wrote to memory of 1932 1516 powershell.exe 52 PID 1516 wrote to memory of 1932 1516 powershell.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf9aa51125a08f16c022984cf2f1bdc54831ca42b68854706acdd5e3c6dfaab.vbe"1⤵
- Blocklisted process makes network request
PID:2280
-
C:\Windows\system32\taskeng.exetaskeng.exe {5E211B8B-415B-4EDD-B0F7-5AC8CADD4C2C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\XyFxmbwAxbLpFCA.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2128" "1248"4⤵PID:1312
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "592" "1248"4⤵PID:3016
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2404" "1240"4⤵PID:1940
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "960" "1232"4⤵PID:1816
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2996" "1240"4⤵PID:2276
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1516" "1240"4⤵PID:1932
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5da71067faad922896a109704e474138d
SHA10d48882b48abbcd45bce4aebe5b11626f5499362
SHA256fb9e9e5f0b6fd144a96fd78bcd4f2fe82e7b6cfbbe58f20673805459014cb006
SHA5120c7043d4f71b8aa7a336e0944475ca718e1e257de22c46047aca3ce11f8cfc27dd10d3ad4f54cebaed2c492a5261118b4a9dec0b0d7a4a75200d5dd946147b33
-
Filesize
1KB
MD5875d4ca3e36c5dddd02bfe13182ccd58
SHA11f6df457864cd8be182432a5ffef5f20d3ff3cf1
SHA256d122d4c4c3c3e5da1006681a26dc1ad28929a89b5e6e6e04e7f708be4764ea3d
SHA512699dec47738283d9c14c948445f3f0ac0a22b1da0564f738f2dc94ca07fc620c0d3a8c23f38c33c04166640350b407db6c909120816f14b7165caa28f9e9754f
-
Filesize
1KB
MD5eb37788343dadff353f23ae50b292158
SHA1f171315830e4c8c5fc452a72692454f612649fbd
SHA2569347cf65382a44704e291b4267580d54e8e68777523f39574bc387d26982c798
SHA512ead4362ec2cfdc0e0e152d725ca9b8db6f5fd1ab469adf20e41b6e086570e155650a87042dd3778f8abe937f838d1861c19ae04b61891c149b6028665e112e30
-
Filesize
1KB
MD546ab94f5f1cfd1283c415f521b3d78d4
SHA14651d73f5a3cde2453dc2c40272ee73a7b0ef16c
SHA256e73a17ec535bd4c7818b6606b8cee3261e8929d0a112f774562c8206720f0e1f
SHA512a591bb869f09ebad51533aef213f5bcca5fb6b7bb3602a94e38c21d817dbbd181b7769a7832365b8a648a67075f7fb80f7329056d8c0f4fec0df2a42341a478d
-
Filesize
1KB
MD59efb801a698fd1316f8403940528479a
SHA1afbbbb9aa86ac09eb9e44639db7ddb592f5ba741
SHA256719c706e3b05a51580697ce1c8ecfee723e60fe5d13d880e85eea760e6fab01a
SHA5120df0614cd55f1414178d576986e98f79a03209d801be1721832cff93bbdcfe6bab01358ad72ceb1883eff7cf548c26a7ee6ab417510cb31e6a666c8a229adaef
-
Filesize
1KB
MD5729c39fbcab41de5de6c1ea1648362d9
SHA1f08faf492dd5140b4cf8c203f4e52b3ac4484392
SHA256b928e3763ea50d358ee043bfdf6cee3bdea999c1018fdc994f8ab30861487937
SHA51226b4d70035e666e19a3ae243f4b385ad0dd6ee32854cb8d033c6b05f49ed6525e9eb5c5b5607020166b1ad331972c5f0778ecd20740c509f8cebe20420143097
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5675bfbcf0dab3dae6b889338fa221b2f
SHA1ecbbbe594c1ed4e0abc8c376a2e445a44e05a013
SHA2567ee7232a4e5f0a4dfc47ebf6c27ea17c33cb54bb79767c782bcfaed69c96482c
SHA5124a47c0c07cd70f28a0275a42ea288ef8cc3f7238d00e36a09ad95f5b85f0149882828c3fb30d5f979eeeee0f8a152b278ab86579236601d36db4fc9772e86b68
-
Filesize
2KB
MD525081523b6bad63a6a500c519275b1ea
SHA1a30fbcf4955cca68a5a2e459a9e7e7aa63461780
SHA256a4eba77734c0262a5ff039848fccd63609a96dab352b13fb608c1167e41e8b70
SHA5129befb54290eaad6eb34f16f6dc21cd6f7b003ab2dba664b71cc40d2beda2d6af7f42a5b6e4a8eb1b08445ff6ebd7a9f9cae7140e2826706ea4839fe5f4415914