Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 07:36
Static task
static1
Behavioral task
behavioral1
Sample
DOC- 1000290099433.vbe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
DOC- 1000290099433.vbe
Resource
win10v2004-20240802-en
General
-
Target
DOC- 1000290099433.vbe
-
Size
11KB
-
MD5
1ba91d56988897f8677cc18f54ac7e13
-
SHA1
1a51f7b8534c912b18053ac2371907f095128a93
-
SHA256
7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f
-
SHA512
192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f
-
SSDEEP
192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 2956 WScript.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2788 powershell.exe 2788 powershell.exe 2544 powershell.exe 2544 powershell.exe 1984 powershell.exe 1984 powershell.exe 2356 powershell.exe 2356 powershell.exe 2884 powershell.exe 2884 powershell.exe 2392 powershell.exe 2392 powershell.exe 1604 powershell.exe 1604 powershell.exe 968 powershell.exe 968 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1984 powershell.exe Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 968 powershell.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2112 wrote to memory of 3052 2112 taskeng.exe 32 PID 2112 wrote to memory of 3052 2112 taskeng.exe 32 PID 2112 wrote to memory of 3052 2112 taskeng.exe 32 PID 3052 wrote to memory of 2788 3052 WScript.exe 34 PID 3052 wrote to memory of 2788 3052 WScript.exe 34 PID 3052 wrote to memory of 2788 3052 WScript.exe 34 PID 2788 wrote to memory of 1200 2788 powershell.exe 36 PID 2788 wrote to memory of 1200 2788 powershell.exe 36 PID 2788 wrote to memory of 1200 2788 powershell.exe 36 PID 3052 wrote to memory of 2544 3052 WScript.exe 37 PID 3052 wrote to memory of 2544 3052 WScript.exe 37 PID 3052 wrote to memory of 2544 3052 WScript.exe 37 PID 2544 wrote to memory of 652 2544 powershell.exe 39 PID 2544 wrote to memory of 652 2544 powershell.exe 39 PID 2544 wrote to memory of 652 2544 powershell.exe 39 PID 3052 wrote to memory of 1984 3052 WScript.exe 40 PID 3052 wrote to memory of 1984 3052 WScript.exe 40 PID 3052 wrote to memory of 1984 3052 WScript.exe 40 PID 1984 wrote to memory of 2000 1984 powershell.exe 42 PID 1984 wrote to memory of 2000 1984 powershell.exe 42 PID 1984 wrote to memory of 2000 1984 powershell.exe 42 PID 3052 wrote to memory of 2356 3052 WScript.exe 43 PID 3052 wrote to memory of 2356 3052 WScript.exe 43 PID 3052 wrote to memory of 2356 3052 WScript.exe 43 PID 2356 wrote to memory of 1980 2356 powershell.exe 45 PID 2356 wrote to memory of 1980 2356 powershell.exe 45 PID 2356 wrote to memory of 1980 2356 powershell.exe 45 PID 3052 wrote to memory of 2884 3052 WScript.exe 46 PID 3052 wrote to memory of 2884 3052 WScript.exe 46 PID 3052 wrote to memory of 2884 3052 WScript.exe 46 PID 2884 wrote to memory of 2412 2884 powershell.exe 48 PID 2884 wrote to memory of 2412 2884 powershell.exe 48 PID 2884 wrote to memory of 2412 2884 powershell.exe 48 PID 3052 wrote to memory of 2392 3052 WScript.exe 49 PID 3052 wrote to memory of 2392 3052 WScript.exe 49 PID 3052 wrote to memory of 2392 3052 WScript.exe 49 PID 2392 wrote to memory of 2888 2392 powershell.exe 51 PID 2392 wrote to memory of 2888 2392 powershell.exe 51 PID 2392 wrote to memory of 2888 2392 powershell.exe 51 PID 3052 wrote to memory of 1604 3052 WScript.exe 52 PID 3052 wrote to memory of 1604 3052 WScript.exe 52 PID 3052 wrote to memory of 1604 3052 WScript.exe 52 PID 1604 wrote to memory of 268 1604 powershell.exe 54 PID 1604 wrote to memory of 268 1604 powershell.exe 54 PID 1604 wrote to memory of 268 1604 powershell.exe 54 PID 3052 wrote to memory of 968 3052 WScript.exe 55 PID 3052 wrote to memory of 968 3052 WScript.exe 55 PID 3052 wrote to memory of 968 3052 WScript.exe 55 PID 968 wrote to memory of 2456 968 powershell.exe 57 PID 968 wrote to memory of 2456 968 powershell.exe 57 PID 968 wrote to memory of 2456 968 powershell.exe 57 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"1⤵
- Blocklisted process makes network request
PID:2956
-
C:\Windows\system32\taskeng.exetaskeng.exe {F785341E-A270-43D8-8942-7F812D552E26} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2788" "1244"4⤵PID:1200
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2544" "1240"4⤵PID:652
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1984" "1248"4⤵PID:2000
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2356" "1240"4⤵PID:1980
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2884" "1248"4⤵PID:2412
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2392" "1240"4⤵PID:2888
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1604" "1244"4⤵PID:268
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "968" "1240"4⤵PID:2456
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD563f2174f1f11cefebc47000c4fce10fc
SHA17ef4bea9cfef63dbb31e7ba65cb255ac7a20feb5
SHA2569bd033a786b48003202f941d0b1c4d870e2c9b84af2f038391d28346f7f0c8d3
SHA51226ee668da6eb378940f1defbb2ad4ea53f08645d68784c1f06e5be37d84fd622c22e880674c014e69dd8ea27e760faecae9ea5ffffa12a255a4b50a117afa1e0
-
Filesize
1KB
MD5a6e9aadef6ef21986a2873507ef90f03
SHA1353d0774c0ddec8c6e07c7b3dd28974843b2c1c8
SHA25684afa2bd67c3f2d26d0a2674fb4f27d27514a639932c981c10102ca91ad434df
SHA51290d4da6fd409fc0d5ff7379e3b12afac4fa82aa98ddb70056fe4c74be3ff2b719da2001a3d640d9d2140c1ea7938736d8a5f60dbd439b279e9b9d84f7e958ea5
-
Filesize
1KB
MD5be9241fe20df6c901d182f861ef8d5df
SHA1974032ad10c81ee0d6969e2658063b4dc1a28d94
SHA256ed3c39348547b19b884bb7be380f5a4805797210596d46ad708a9f945a8822a1
SHA5120bb5083eb2dd25e1868cd042048a362b7518e24c3d546c59679c09a8621d269560b1ec085a4436ddfbc82b612092f6311127548b8db88875100554084d561566
-
Filesize
1KB
MD526f51b4b94836c79d047d71501711ec8
SHA1dbb7ac5ad8b9d03f1d8e6156f5daab9d5275210e
SHA2566281973f5ad441b00ea41eef6c082357534b434f6006e061b2c09b3723324cc2
SHA5121fa2c9867cd0519ec5f180290f54ed8fd8745ecc7d23d8188de63b9ba2e29108459af2c8b37ad597eca8624f830f9ff043e70733b1cb69684ffdad80dc26eac1
-
Filesize
1KB
MD54d01a3d5a9383523f01770bb15ec2caa
SHA1e1d96db06c2a9aa0cdc50eb288349081d6e499de
SHA25688ef8ccbabb1260dc3f6dcb2cb44451a9b145781c9d847d25ddeb2518629816c
SHA51263f3ce69a203281100e937144f8bc502320ab64d7b371914bd3d8d4e644f2a8416680720bd4063206089d708eb66cfd567d5acff6457ce8dc397096629daf049
-
Filesize
1KB
MD5742a88caeda9a5dda145f9c7da674d10
SHA1024a66bd44acf2b9229f1f863804e99375831841
SHA2569125e8adc29d44ba8d6ac6542d004913036a6971c918f439c4af49a5475d56fe
SHA512526dc7af939c6ce8b23d1d9041bffd2401d26dcc8f177419adf1dbc6f295612c4d0af452446c94af362ea7ba0acb8175b289cb8184900b63a96d81119471347a
-
Filesize
1KB
MD5e9c3bf40635be5b49827e0635ec2a239
SHA1b8f16bd01f81a46cc360fd5db5da35c1dd28f589
SHA2568237fa0c6ce59348eb2cd7b51a26c31ffd9df105b50bf6499eb9e5d58586efd8
SHA512d26c221b5c923868f0255868d7b013e55a9bc333541c638a9d64e908080139fa00a31ffdb958891936535abbb70cf9df8ce95ed791745b030194be2fb0c4e568
-
Filesize
1KB
MD5fbf57821b229a26d18d2b703b6c43acf
SHA1017eac78926ba129164511cab47b51cff6e2521d
SHA2569e1ae31cd0beadbc4b65af690aca5842a6c3b0740df854e79a5086b19138be1b
SHA5126f6004c43c2c4c4794d7e44975786ea6b7f67c243e74e1510d226e3390402df59ad9890725dd28ae123b745381eec64e5de29a6e29402588341856974344f3aa
-
Filesize
2KB
MD55df9cc7a167a8711770e63f29cc69d16
SHA1312cc26407eada041f5310a62fd73b99fd03a240
SHA256ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf
SHA512bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5795b95d5ac064479bbb812c4911173a4
SHA1354c0d06140d6d363e8408c01b96f81296de19e2
SHA256140bc8da3f09e3f51faf27a2990b137cb50767cd30f6ca619db829b3134e864b
SHA5126b34e93169d55f715837f6477cb5141397ff8ea45c0292cfed9f97ed0865e252e7d52355877948364a4c6c483a36a15015f7fca869eb743b476351a4370d7831