4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

Analysis

max time kernel
135s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref_0120_0122.vbe
Size

11KB
MD5

f2ba7d3b3cdabd02dbcccb1174088b1d
SHA1

dbc02a29b2b042af0b988c698be5be7885e127c1
SHA256

4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d
SHA512

876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154
SSDEEP

192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2064	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2776	powershell.exe
2776	powershell.exe
1712	powershell.exe
1712	powershell.exe
1840	powershell.exe
1840	powershell.exe
2196	powershell.exe
2196	powershell.exe
1600	powershell.exe
1600	powershell.exe
2480	powershell.exe
2480	powershell.exe
1032	powershell.exe
1032	powershell.exe
2416	powershell.exe
2416	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2856	2756	taskeng.exe	32
PID 2756 wrote to memory of 2856	2756	taskeng.exe	32
PID 2756 wrote to memory of 2856	2756	taskeng.exe	32
PID 2856 wrote to memory of 2776	2856	WScript.exe	34
PID 2856 wrote to memory of 2776	2856	WScript.exe	34
PID 2856 wrote to memory of 2776	2856	WScript.exe	34
PID 2776 wrote to memory of 2664	2776	powershell.exe	36
PID 2776 wrote to memory of 2664	2776	powershell.exe	36
PID 2776 wrote to memory of 2664	2776	powershell.exe	36
PID 2856 wrote to memory of 1712	2856	WScript.exe	37
PID 2856 wrote to memory of 1712	2856	WScript.exe	37
PID 2856 wrote to memory of 1712	2856	WScript.exe	37
PID 1712 wrote to memory of 1612	1712	powershell.exe	39
PID 1712 wrote to memory of 1612	1712	powershell.exe	39
PID 1712 wrote to memory of 1612	1712	powershell.exe	39
PID 2856 wrote to memory of 1840	2856	WScript.exe	40
PID 2856 wrote to memory of 1840	2856	WScript.exe	40
PID 2856 wrote to memory of 1840	2856	WScript.exe	40
PID 1840 wrote to memory of 2912	1840	powershell.exe	42
PID 1840 wrote to memory of 2912	1840	powershell.exe	42
PID 1840 wrote to memory of 2912	1840	powershell.exe	42
PID 2856 wrote to memory of 2196	2856	WScript.exe	43
PID 2856 wrote to memory of 2196	2856	WScript.exe	43
PID 2856 wrote to memory of 2196	2856	WScript.exe	43
PID 2196 wrote to memory of 444	2196	powershell.exe	45
PID 2196 wrote to memory of 444	2196	powershell.exe	45
PID 2196 wrote to memory of 444	2196	powershell.exe	45
PID 2856 wrote to memory of 1600	2856	WScript.exe	46
PID 2856 wrote to memory of 1600	2856	WScript.exe	46
PID 2856 wrote to memory of 1600	2856	WScript.exe	46
PID 1600 wrote to memory of 1232	1600	powershell.exe	48
PID 1600 wrote to memory of 1232	1600	powershell.exe	48
PID 1600 wrote to memory of 1232	1600	powershell.exe	48
PID 2856 wrote to memory of 2480	2856	WScript.exe	49
PID 2856 wrote to memory of 2480	2856	WScript.exe	49
PID 2856 wrote to memory of 2480	2856	WScript.exe	49
PID 2480 wrote to memory of 2300	2480	powershell.exe	51
PID 2480 wrote to memory of 2300	2480	powershell.exe	51
PID 2480 wrote to memory of 2300	2480	powershell.exe	51
PID 2856 wrote to memory of 1032	2856	WScript.exe	52
PID 2856 wrote to memory of 1032	2856	WScript.exe	52
PID 2856 wrote to memory of 1032	2856	WScript.exe	52
PID 1032 wrote to memory of 2696	1032	powershell.exe	54
PID 1032 wrote to memory of 2696	1032	powershell.exe	54
PID 1032 wrote to memory of 2696	1032	powershell.exe	54
PID 2856 wrote to memory of 2416	2856	WScript.exe	55
PID 2856 wrote to memory of 2416	2856	WScript.exe	55
PID 2856 wrote to memory of 2416	2856	WScript.exe	55
PID 2416 wrote to memory of 2984	2416	powershell.exe	57
PID 2416 wrote to memory of 2984	2416	powershell.exe	57
PID 2416 wrote to memory of 2984	2416	powershell.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref_0120_0122.vbe"
1⤵
- Blocklisted process makes network request
PID:2064

C:\Windows\system32\taskeng.exe
taskeng.exe {66B4F3CF-BF1C-45DE-9226-23B341AC5C45} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2776" "1240"
      4⤵
      PID:2664
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1712" "1232"
      4⤵
      PID:1612
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1840" "1236"
      4⤵
      PID:2912
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2196" "1252"
      4⤵
      PID:444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1600" "1240"
      4⤵
      PID:1232
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2480" "1244"
      4⤵
      PID:2300
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1032" "1240"
      4⤵
      PID:2696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2416" "1248"
      4⤵
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259473007.txt

Filesize
1KB

MD5
5f221faaf0fb8c7f67684e9aca423636

SHA1
a65a4ae3e90171e8cca23a31944770a0dbd2ed2e

SHA256
82670c0dd9c07104905076d1d60c3fb4265bc7a38e2e45d1a71c0c686bfd1d37

SHA512
5af3c6a42e1730cfed447f851d83e361d8c428fadf65c8edd4d878764e1c2e022f21a1552fa0ba4865f01fda4aed8d0feb2f8984a627815d3327a4826e23af2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259483908.txt

Filesize
1KB

MD5
ad15b48de0f266e1b7199440101ba401

SHA1
a08073d054c51071fa4965f66a08f7e84389f58b

SHA256
f6bdae0ccce0dab1458fc17fe03673faf078b5e260c57bf05790fc9736183766

SHA512
c96c36ad4ca1529863023196f3b9b0eed94a8dafa0748efceb89d13659cad99c759d8311e9f5240cdaf18a37dde4cd34d497dc2f37487a863000ee207c145853

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259501457.txt

Filesize
1KB

MD5
6f134d5adf98cb28d7eb68210090a1b2

SHA1
257e5f5d763243e27a0a0e5ee157684b9554011f

SHA256
75bd374cc96153d19982cc79ca80576ddecb1acc3513854fcd5cfec74a69f7ed

SHA512
0b2945469fb4e04cc39c696bf71ab6025e99378f50e524613a19f1805fbe992087242f11ace9525dc47c8613d7a41903d03b5307265d1f88f741ef20fe93342b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259517947.txt

Filesize
1KB

MD5
566a8ba9303ef8e804db76832da68809

SHA1
39349a3f2ee83c39753b2ee8f5e9fb0571f9118a

SHA256
67cd0f1b5056e9dc2fa6e6052c03d212c46cf802fd7a2ced04d77e267976a944

SHA512
4f87ac096baec7a655935fce17a4df1ff3a82db35b7829ab2c4b83645cf2dcff6208e210ad0676ea50cce7b24ba44cd523495e0fb74bd679caeb4b0ded0e4e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259532647.txt

Filesize
1KB

MD5
657a04871edc0f79c0ba86fd2ce53ce3

SHA1
58f8a975729e9775144569ca78c178a1a9a7d718

SHA256
cd392090b255e94d6f8c24b2979a32ea79d5cf432ead4ba7b974e6b34fbe3711

SHA512
c2adb4fe6bcb57684cdce22d613dd7a785778bbe788304393197d3261eab7a4767606dd235ccfdcb3ceb2dd20633d90809de7a69eb7559c6e878d31cb99f5041

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259543654.txt

Filesize
1KB

MD5
b27915ae71dfc1eb67fd0c4debe6f237

SHA1
3c76aff54e399e960679d473eb93b98522bf3eee

SHA256
3d46e06d31ff74c0a3d5fde7d9d5237d7558e2fd2cae918a935969411acb29c5

SHA512
ddb5e724d8a46d0680de8a3d1241b9f170acbb5893a16dec798655e710ab7c781491c90838d07e19f92a2079c367545340a12163b8c8b27131ca8a775282c33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259560326.txt

Filesize
1KB

MD5
d61108253cd1736cf049df8603932c75

SHA1
5a7df8a3d8343fe319227a9b685502c5030c4174

SHA256
9848f3cd9c9c246b4a2b506adde280100f435a64efbad42d3145477de1b77cd5

SHA512
156b5c93026107ffd3fd20169a7274dc2276f084e5ec89806b819c268c0533398510e3f216b11ebdc742a55b7b56dd2f9bd630920ad3f4d9567cd6d31c3ded7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259578718.txt

Filesize
1KB

MD5
a68add208b2181a2858046c0ad3d13dc

SHA1
9497e89b25f96244455d035512ae52751034d15a

SHA256
df974a5fdaedfd808d9856443efb105e8e05ac23eac1b776a0b3e9e786db3f06

SHA512
dc0a31467e6ac7dd2b3d676a5dabd6800c9d3188e6b55581d04e5adc3112b1e746e4bbd26aaee87fb3a1cdfd028031bc4fa59e4b1616f3726b28b4760a4ca659

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9b3ae55dbb28826bc2845c614786826b

SHA1
928034e273757d42ce6dfd04151d522e3d23ce4b

SHA256
ecc8d5e20f0bfae1916438775ad1623ffa8a9faf69657f9b9964a4222f5b3dc3

SHA512
e393ff9c907b4c3e506687d808bae856885bf8ff10b5fded2c1db54e21eb0afc791f29e416abac7f576d9d5e43eda57ec58c6fb8f77f5d8af3293a07667496b9

Download Submit
C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs

Filesize
2KB

MD5
4ab3e87d9d3e6cf50f9787e2085fa8c7

SHA1
5203b0409105410903b2ec612684e1c1d3c5d7c4

SHA256
4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

SHA512
c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

Download Submit
memory/1712-17-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/1712-16-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2776-7-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/2776-6-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-8-0x0000000002AE0000-0x0000000002AEA000-memory.dmp

Filesize
40KB

Download