4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref_0120_0122.vbe
Size

11KB
MD5

f2ba7d3b3cdabd02dbcccb1174088b1d
SHA1

dbc02a29b2b042af0b988c698be5be7885e127c1
SHA256

4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d
SHA512

876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154
SSDEEP

192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2272	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
900	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2876	powershell.exe
2876	powershell.exe
1452	powershell.exe
1452	powershell.exe
1716	powershell.exe
1716	powershell.exe
1488	powershell.exe
1488	powershell.exe
1700	powershell.exe
1168	powershell.exe
1700	powershell.exe
2116	powershell.exe
2116	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
900	WINWORD.EXE
900	WINWORD.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2728	2736	taskeng.exe	32
PID 2736 wrote to memory of 2728	2736	taskeng.exe	32
PID 2736 wrote to memory of 2728	2736	taskeng.exe	32
PID 2728 wrote to memory of 2876	2728	WScript.exe	34
PID 2728 wrote to memory of 2876	2728	WScript.exe	34
PID 2728 wrote to memory of 2876	2728	WScript.exe	34
PID 2876 wrote to memory of 1644	2876	powershell.exe	36
PID 2876 wrote to memory of 1644	2876	powershell.exe	36
PID 2876 wrote to memory of 1644	2876	powershell.exe	36
PID 2728 wrote to memory of 1452	2728	WScript.exe	37
PID 2728 wrote to memory of 1452	2728	WScript.exe	37
PID 2728 wrote to memory of 1452	2728	WScript.exe	37
PID 1452 wrote to memory of 2860	1452	powershell.exe	39
PID 1452 wrote to memory of 2860	1452	powershell.exe	39
PID 1452 wrote to memory of 2860	1452	powershell.exe	39
PID 2728 wrote to memory of 1716	2728	WScript.exe	40
PID 2728 wrote to memory of 1716	2728	WScript.exe	40
PID 2728 wrote to memory of 1716	2728	WScript.exe	40
PID 1716 wrote to memory of 2408	1716	powershell.exe	42
PID 1716 wrote to memory of 2408	1716	powershell.exe	42
PID 1716 wrote to memory of 2408	1716	powershell.exe	42
PID 2728 wrote to memory of 1488	2728	WScript.exe	43
PID 2728 wrote to memory of 1488	2728	WScript.exe	43
PID 2728 wrote to memory of 1488	2728	WScript.exe	43
PID 1488 wrote to memory of 1252	1488	powershell.exe	45
PID 1488 wrote to memory of 1252	1488	powershell.exe	45
PID 1488 wrote to memory of 1252	1488	powershell.exe	45
PID 2728 wrote to memory of 1700	2728	WScript.exe	46
PID 2728 wrote to memory of 1700	2728	WScript.exe	46
PID 2728 wrote to memory of 1700	2728	WScript.exe	46
PID 2728 wrote to memory of 1168	2728	WScript.exe	49
PID 2728 wrote to memory of 1168	2728	WScript.exe	49
PID 2728 wrote to memory of 1168	2728	WScript.exe	49
PID 1700 wrote to memory of 880	1700	powershell.exe	51
PID 1700 wrote to memory of 880	1700	powershell.exe	51
PID 1700 wrote to memory of 880	1700	powershell.exe	51
PID 1168 wrote to memory of 624	1168	powershell.exe	52
PID 1168 wrote to memory of 624	1168	powershell.exe	52
PID 1168 wrote to memory of 624	1168	powershell.exe	52
PID 2728 wrote to memory of 2116	2728	WScript.exe	53
PID 2728 wrote to memory of 2116	2728	WScript.exe	53
PID 2728 wrote to memory of 2116	2728	WScript.exe	53
PID 2116 wrote to memory of 2904	2116	powershell.exe	55
PID 2116 wrote to memory of 2904	2116	powershell.exe	55
PID 2116 wrote to memory of 2904	2116	powershell.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref_0120_0122.vbe"
1⤵
- Blocklisted process makes network request
PID:2272

C:\Windows\system32\taskeng.exe
taskeng.exe {0E57F134-C243-4A81-A007-D7D55A682DA2} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2876" "1248"
      4⤵
      PID:1644
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1452" "1236"
      4⤵
      PID:2860
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1716" "1244"
      4⤵
      PID:2408
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1488" "1236"
      4⤵
      PID:1252
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1700" "1252"
      4⤵
      PID:880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1168" "1140"
      4⤵
      PID:624
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2116" "1236"
      4⤵
      PID:2904

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SaveConfirm.docx"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496485.txt

Filesize
1KB

MD5
cf462823609baeaca6d3e9fec82779e8

SHA1
bd9e29d829eea9574265535eb67bdb390e719398

SHA256
6fb68de5f3f4fbdd5fd656f39eeb15711d4ec1b4cbababc4de55ddcbb28881bc

SHA512
593ac7fc5c215d12a36f3ab726f855ae7baecabc48bd4b94a3e582b91a6e9349357068f6d377abfdb93bc51f89d0ea2ee084aff9ed85a9599079078cfaf72b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259508527.txt

Filesize
1KB

MD5
e5e6d577d8dc27467b417653c7d7bc70

SHA1
6852053be9edc072100edec242a1e3b2a34448c4

SHA256
2082b83572310e21bd80b589d7ed0cd9753946516b06f22c774cafc243f2efa7

SHA512
670d4025e64f10b7bba7e26128cee924b2181345225af246392db24e1be542bb0790b8bb9c002501cce510049021e4ff0f55f4324b3d0ca6e3760c744e45c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523422.txt

Filesize
1KB

MD5
653492b3db9b8f27526d860a683b6180

SHA1
a95b3dda0d624978629628ca6c9ac01e48092881

SHA256
a235eef80dd93783c33ae6ddc8e8c60063a528302a4430597fff029298ca6e04

SHA512
063cc4ee4e088acc1f234f8c947b65000eda292175a4a36869b24c8bf663b5a828495d5a003fcb5dbc7505642860d83d6aa504db42ed7194d84248f09e7e6143

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540066.txt

Filesize
1KB

MD5
770b4cf22cc9f24aa9d936307668f079

SHA1
33550fe4ed7a6fcd75f5c89329ba54407abe150d

SHA256
8b40f4dd9501ebf90832d269c7717469905ee0352b34120f02ac16075a2b02cc

SHA512
8225150b54008ef09f2f78fa011a9d0efada117d997e65ce258bc56c7bc6771a549f4868ad2022806dd5b130811237901bff7088a686aee307e2d9de1766755a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570887.txt

Filesize
1KB

MD5
fd04476082df39da1d5a64c375e86eec

SHA1
191e722268c0503581d586a4db8b14bb4cfff008

SHA256
5fc82d9073d31318e0ac46be4fcddbd54505f452f3fe562bffeaf0bfadd6c1f9

SHA512
e2251ca2dbf2c2e7fa5e209e57b99662032ea27685b39f6e2e663bc53d0fd7aa4dd169c7b28b6e512d50fbc84ab065f16819417fe293494443859d981f39467c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259571427.txt

Filesize
1KB

MD5
2c3b126867a621156e5d31447bd5e72e

SHA1
043b18dfac9a4cde2c70428c46cc06b0401fddb8

SHA256
adea0fbc1015f4c09546914675c221f46c2450a2b3d2e81e510c38227f19a36a

SHA512
c8c1852b008497d05c4a490c18c3c4ebc804891fe4b1cfd7fc83978aa78bb8c4819ce9fe8f557e63e5c1f64fbf8fe92801a296549a2bffe0201aba61d5104634

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259587113.txt

Filesize
1KB

MD5
5e4656f7d381f3316bb50ad20ec885cb

SHA1
f7bbcdbfda6c7b29b0fb12864417e21250702690

SHA256
8303a5c08ba127c02b477486d2a74553a077e97004f201f50a7d01e51b1ee4c3

SHA512
79a5629ee0fa2cdcbf2a9149f89a5dbd2022381405b59dcf6f40822ac3a2ebce090bfedd89843523adc8be5b74b5a5cf32ab7463fb2c19488d0e3ac049940543

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
df5ebc4649ae4cc2d763823788de9e4d

SHA1
4c08076b9549383833d4b4851dfcf26f5c441f23

SHA256
6c8df6cb643a65619d16653c14710bf8743d00065c8b347e233c4fc053bfa86f

SHA512
6d645060b2ad98ab724e39d61e770277ec0b139c43f38bc222da71e880a1305f1a97fd4b3a8be3991f9feff581ea174d06f151c2d8a6c73d4dba6829c159e861

Download Submit
C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs

Filesize
2KB

MD5
4ab3e87d9d3e6cf50f9787e2085fa8c7

SHA1
5203b0409105410903b2ec612684e1c1d3c5d7c4

SHA256
4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

SHA512
c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

Download Submit
memory/900-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1452-16-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1452-17-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1700-40-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2116-57-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2116-58-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2876-7-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2876-8-0x0000000002A60000-0x0000000002A6A000-memory.dmp

Filesize
40KB

Download
memory/2876-6-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download