Analysis

  • max time kernel
    147s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 07:36

General

  • Target

    DOC- 1000290099433.vbe

  • Size

    11KB

  • MD5

    1ba91d56988897f8677cc18f54ac7e13

  • SHA1

    1a51f7b8534c912b18053ac2371907f095128a93

  • SHA256

    7576b26f5b40500a27c4279db479d482fb453e2dbc24d6b8754a07720c19055f

  • SHA512

    192c23958cd6e863ed205e4bbcddfa2915f197e9f9ca8e1cd66d4b7bcb834794c0012456789aef826622ab63cd589336b187c48f422ffca0b0a1094b59967f2f

  • SSDEEP

    192:l7TZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1ZAkt0pdzea1iydDcgLK:trITlbz3L5UtNGWEYCNsRXX1tedzL1iJ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOC- 1000290099433.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:2956
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F785341E-A270-43D8-8942-7F812D552E26} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2788" "1244"
          4⤵
            PID:1200
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "2544" "1240"
            4⤵
              PID:652
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1984
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1984" "1248"
              4⤵
                PID:2000
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2356
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "2356" "1240"
                4⤵
                  PID:1980
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "2884" "1248"
                  4⤵
                    PID:2412
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2392
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "2392" "1240"
                    4⤵
                      PID:2888
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1604
                    • C:\Windows\system32\wermgr.exe
                      "C:\Windows\system32\wermgr.exe" "-outproc" "1604" "1244"
                      4⤵
                        PID:268
                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                      3⤵
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:968
                      • C:\Windows\system32\wermgr.exe
                        "C:\Windows\system32\wermgr.exe" "-outproc" "968" "1240"
                        4⤵
                          PID:2456

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259492288.txt

                    Filesize

                    1KB

                    MD5

                    63f2174f1f11cefebc47000c4fce10fc

                    SHA1

                    7ef4bea9cfef63dbb31e7ba65cb255ac7a20feb5

                    SHA256

                    9bd033a786b48003202f941d0b1c4d870e2c9b84af2f038391d28346f7f0c8d3

                    SHA512

                    26ee668da6eb378940f1defbb2ad4ea53f08645d68784c1f06e5be37d84fd622c22e880674c014e69dd8ea27e760faecae9ea5ffffa12a255a4b50a117afa1e0

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259503172.txt

                    Filesize

                    1KB

                    MD5

                    a6e9aadef6ef21986a2873507ef90f03

                    SHA1

                    353d0774c0ddec8c6e07c7b3dd28974843b2c1c8

                    SHA256

                    84afa2bd67c3f2d26d0a2674fb4f27d27514a639932c981c10102ca91ad434df

                    SHA512

                    90d4da6fd409fc0d5ff7379e3b12afac4fa82aa98ddb70056fe4c74be3ff2b719da2001a3d640d9d2140c1ea7938736d8a5f60dbd439b279e9b9d84f7e958ea5

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259522401.txt

                    Filesize

                    1KB

                    MD5

                    be9241fe20df6c901d182f861ef8d5df

                    SHA1

                    974032ad10c81ee0d6969e2658063b4dc1a28d94

                    SHA256

                    ed3c39348547b19b884bb7be380f5a4805797210596d46ad708a9f945a8822a1

                    SHA512

                    0bb5083eb2dd25e1868cd042048a362b7518e24c3d546c59679c09a8621d269560b1ec085a4436ddfbc82b612092f6311127548b8db88875100554084d561566

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538239.txt

                    Filesize

                    1KB

                    MD5

                    26f51b4b94836c79d047d71501711ec8

                    SHA1

                    dbb7ac5ad8b9d03f1d8e6156f5daab9d5275210e

                    SHA256

                    6281973f5ad441b00ea41eef6c082357534b434f6006e061b2c09b3723324cc2

                    SHA512

                    1fa2c9867cd0519ec5f180290f54ed8fd8745ecc7d23d8188de63b9ba2e29108459af2c8b37ad597eca8624f830f9ff043e70733b1cb69684ffdad80dc26eac1

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259548163.txt

                    Filesize

                    1KB

                    MD5

                    4d01a3d5a9383523f01770bb15ec2caa

                    SHA1

                    e1d96db06c2a9aa0cdc50eb288349081d6e499de

                    SHA256

                    88ef8ccbabb1260dc3f6dcb2cb44451a9b145781c9d847d25ddeb2518629816c

                    SHA512

                    63f3ce69a203281100e937144f8bc502320ab64d7b371914bd3d8d4e644f2a8416680720bd4063206089d708eb66cfd567d5acff6457ce8dc397096629daf049

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259564299.txt

                    Filesize

                    1KB

                    MD5

                    742a88caeda9a5dda145f9c7da674d10

                    SHA1

                    024a66bd44acf2b9229f1f863804e99375831841

                    SHA256

                    9125e8adc29d44ba8d6ac6542d004913036a6971c918f439c4af49a5475d56fe

                    SHA512

                    526dc7af939c6ce8b23d1d9041bffd2401d26dcc8f177419adf1dbc6f295612c4d0af452446c94af362ea7ba0acb8175b289cb8184900b63a96d81119471347a

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259580731.txt

                    Filesize

                    1KB

                    MD5

                    e9c3bf40635be5b49827e0635ec2a239

                    SHA1

                    b8f16bd01f81a46cc360fd5db5da35c1dd28f589

                    SHA256

                    8237fa0c6ce59348eb2cd7b51a26c31ffd9df105b50bf6499eb9e5d58586efd8

                    SHA512

                    d26c221b5c923868f0255868d7b013e55a9bc333541c638a9d64e908080139fa00a31ffdb958891936535abbb70cf9df8ce95ed791745b030194be2fb0c4e568

                  • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259597089.txt

                    Filesize

                    1KB

                    MD5

                    fbf57821b229a26d18d2b703b6c43acf

                    SHA1

                    017eac78926ba129164511cab47b51cff6e2521d

                    SHA256

                    9e1ae31cd0beadbc4b65af690aca5842a6c3b0740df854e79a5086b19138be1b

                    SHA512

                    6f6004c43c2c4c4794d7e44975786ea6b7f67c243e74e1510d226e3390402df59ad9890725dd28ae123b745381eec64e5de29a6e29402588341856974344f3aa

                  • C:\Users\Admin\AppData\Roaming\CeKsDwHNOyLUtGz.vbs

                    Filesize

                    2KB

                    MD5

                    5df9cc7a167a8711770e63f29cc69d16

                    SHA1

                    312cc26407eada041f5310a62fd73b99fd03a240

                    SHA256

                    ec8a7ee52bf19d91f02f739f67f186a17730ca0bedab940b0b5f75973375a6cf

                    SHA512

                    bb7298e112011387cd7f65bd048fecdeb71104963586b423daf271bdfa4809b9b9f113680b9ce177f6139b63e19b805edd827d026cee9a219e442f00d50ad235

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                    Filesize

                    7KB

                    MD5

                    795b95d5ac064479bbb812c4911173a4

                    SHA1

                    354c0d06140d6d363e8408c01b96f81296de19e2

                    SHA256

                    140bc8da3f09e3f51faf27a2990b137cb50767cd30f6ca619db829b3134e864b

                    SHA512

                    6b34e93169d55f715837f6477cb5141397ff8ea45c0292cfed9f97ed0865e252e7d52355877948364a4c6c483a36a15015f7fca869eb743b476351a4370d7831

                  • memory/2544-16-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/2544-17-0x0000000002240000-0x0000000002248000-memory.dmp

                    Filesize

                    32KB

                  • memory/2788-7-0x0000000002340000-0x0000000002348000-memory.dmp

                    Filesize

                    32KB

                  • memory/2788-6-0x000000001B690000-0x000000001B972000-memory.dmp

                    Filesize

                    2.9MB

                  • memory/2788-8-0x0000000002B00000-0x0000000002B0A000-memory.dmp

                    Filesize

                    40KB