4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

Analysis

max time kernel
138s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref01200122.vbe
Size

11KB
MD5

f2ba7d3b3cdabd02dbcccb1174088b1d
SHA1

dbc02a29b2b042af0b988c698be5be7885e127c1
SHA256

4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d
SHA512

876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154
SSDEEP

192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1768	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2992	powershell.exe
2992	powershell.exe
1376	powershell.exe
1376	powershell.exe
1872	powershell.exe
1872	powershell.exe
1216	powershell.exe
1216	powershell.exe
1064	powershell.exe
1064	powershell.exe
2112	powershell.exe
2112	powershell.exe
2284	powershell.exe
2284	powershell.exe
1768	powershell.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2916	2724	taskeng.exe	31
PID 2724 wrote to memory of 2916	2724	taskeng.exe	31
PID 2724 wrote to memory of 2916	2724	taskeng.exe	31
PID 2916 wrote to memory of 2992	2916	WScript.exe	33
PID 2916 wrote to memory of 2992	2916	WScript.exe	33
PID 2916 wrote to memory of 2992	2916	WScript.exe	33
PID 2992 wrote to memory of 2816	2992	powershell.exe	35
PID 2992 wrote to memory of 2816	2992	powershell.exe	35
PID 2992 wrote to memory of 2816	2992	powershell.exe	35
PID 2916 wrote to memory of 1376	2916	WScript.exe	36
PID 2916 wrote to memory of 1376	2916	WScript.exe	36
PID 2916 wrote to memory of 1376	2916	WScript.exe	36
PID 1376 wrote to memory of 2272	1376	powershell.exe	38
PID 1376 wrote to memory of 2272	1376	powershell.exe	38
PID 1376 wrote to memory of 2272	1376	powershell.exe	38
PID 2916 wrote to memory of 1872	2916	WScript.exe	39
PID 2916 wrote to memory of 1872	2916	WScript.exe	39
PID 2916 wrote to memory of 1872	2916	WScript.exe	39
PID 1872 wrote to memory of 1276	1872	powershell.exe	41
PID 1872 wrote to memory of 1276	1872	powershell.exe	41
PID 1872 wrote to memory of 1276	1872	powershell.exe	41
PID 2916 wrote to memory of 1216	2916	WScript.exe	42
PID 2916 wrote to memory of 1216	2916	WScript.exe	42
PID 2916 wrote to memory of 1216	2916	WScript.exe	42
PID 1216 wrote to memory of 2260	1216	powershell.exe	44
PID 1216 wrote to memory of 2260	1216	powershell.exe	44
PID 1216 wrote to memory of 2260	1216	powershell.exe	44
PID 2916 wrote to memory of 1064	2916	WScript.exe	45
PID 2916 wrote to memory of 1064	2916	WScript.exe	45
PID 2916 wrote to memory of 1064	2916	WScript.exe	45
PID 1064 wrote to memory of 1692	1064	powershell.exe	47
PID 1064 wrote to memory of 1692	1064	powershell.exe	47
PID 1064 wrote to memory of 1692	1064	powershell.exe	47
PID 2916 wrote to memory of 2112	2916	WScript.exe	48
PID 2916 wrote to memory of 2112	2916	WScript.exe	48
PID 2916 wrote to memory of 2112	2916	WScript.exe	48
PID 2112 wrote to memory of 2336	2112	powershell.exe	50
PID 2112 wrote to memory of 2336	2112	powershell.exe	50
PID 2112 wrote to memory of 2336	2112	powershell.exe	50
PID 2916 wrote to memory of 2284	2916	WScript.exe	51
PID 2916 wrote to memory of 2284	2916	WScript.exe	51
PID 2916 wrote to memory of 2284	2916	WScript.exe	51
PID 2284 wrote to memory of 1952	2284	powershell.exe	53
PID 2284 wrote to memory of 1952	2284	powershell.exe	53
PID 2284 wrote to memory of 1952	2284	powershell.exe	53
PID 2916 wrote to memory of 1768	2916	WScript.exe	54
PID 2916 wrote to memory of 1768	2916	WScript.exe	54
PID 2916 wrote to memory of 1768	2916	WScript.exe	54
PID 1768 wrote to memory of 2984	1768	powershell.exe	56
PID 1768 wrote to memory of 2984	1768	powershell.exe	56
PID 1768 wrote to memory of 2984	1768	powershell.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref01200122.vbe"
1⤵
- Blocklisted process makes network request
PID:1768

C:\Windows\system32\taskeng.exe
taskeng.exe {9EC9106D-3B25-46A3-9291-DB6DED08B83D} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2992" "1244"
      4⤵
      PID:2816
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1376" "1240"
      4⤵
      PID:2272
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1872" "1248"
      4⤵
      PID:1276
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1216" "1236"
      4⤵
      PID:2260
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1064" "1240"
      4⤵
      PID:1692
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2112" "1248"
      4⤵
      PID:2336
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2284" "1248"
      4⤵
      PID:1952
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1768" "1240"
      4⤵
      PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538150.txt

Filesize
1KB

MD5
09ff1df482f62aa27d081467b7341f31

SHA1
7a35668fea036e146c916e2e44e3847a9426a2cc

SHA256
f347420e8fff38ece0dc33e3c3fd40c84c798866f3dbe42d5ca4a860961d85ae

SHA512
4d6619744946b304e30fed7f59c6c1761cb04b1f617c01e9aafc7d4a14558f1018a05f1f910f54c56e122d5f47f57858538b5e20f9d6f6218673b22cce1e7d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259553265.txt

Filesize
1KB

MD5
bbc20e895e2ea9815b5bf88dfd0f4505

SHA1
12e449c8f8e6c85920b66cc6e29379633c2e9229

SHA256
c33c9bbf615df389053405464f50e22f1b24b46af238ba286c0798e6490cfff5

SHA512
91d8c1ca3eeca1557c6445bb0d7c0fdcd63d27e1383f5c14e2445862db35d6f5b279b2ba3974b699d0af14d5d481e58967f65a1a6e711535a8db1bf4ec895515

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259566514.txt

Filesize
1KB

MD5
3d25e31efe21df11774612ad1354b091

SHA1
73b1cb8b57544046b2057f06aa8c1c2d0f6d8aaf

SHA256
89555cb3c99df49553e7c4ec413e1906bd230f0995cc0b7d497746cdabb7e3f0

SHA512
17ab25411115e708cefc03996c80c88036f202ea337435a72aca24d4b190a9025d4b4fccc125cb95b9cc4691df47cbcac0da21b6252f75784fc959736a989a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259580719.txt

Filesize
1KB

MD5
7e44cc26dc61070db6be82efded87a21

SHA1
922eec28491af3d104f5861b72da428df4e55253

SHA256
5e2cdccbf86b8ff63f1f960405fbfc02d832ef8a63e610e26595306be941a532

SHA512
677892e6fdb32ba8de444cf4fdad91e3626636009f9eb6df7abeeedf0dc786e26d9f73741ec810ac855704abc8f18c31fd7bb95cd22b2263e07245be0eac1f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259597910.txt

Filesize
1KB

MD5
19f01edf211a4565fb59776e0c46561b

SHA1
7ca1338a348da81585748ae3a5ee59f56a60db5f

SHA256
c487034be163821f633130ddf0b7af863a0818977ef32dafa1da4ff462963d13

SHA512
7a14c8feaa85bf310272c02d7a8cd634f147724ec89e9cd68d9a63e370880cc1e2f98e17d8f992a291cb62f1db674d27da539c807f8aa3ba9aa669b6585fd2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259610134.txt

Filesize
1KB

MD5
1ca7a67414a1fb3a24b825176141f844

SHA1
2790ee2e57857699315bb3d3760d2637bbbc0ba8

SHA256
3e2ab96cc6fd81aef58ef9b4c6c3a7a30fb591333d557f7378d90a1a97834a89

SHA512
5bc5a6053b11cecc4f0a00db3b55fe14d3e42d011b58595e70d1a4aa8b9eb38d3b2bd07167d29575e06f6f76b0e6bd240375c3f917cc4e3a6379d3a3bafa3bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259625051.txt

Filesize
1KB

MD5
f0f85ab662eb158dfb5d93e208d5c510

SHA1
abf26496d4c57a0f3efe8f77ab9adc1dcec19e17

SHA256
425cc3b5306c6570bca801ff8ec93f317d8cb93eb29064bd6f1ffd5abe9804f3

SHA512
16dafc4a36dcd4f1b97f474843a291c4cb64d31f564a48c23607bb9a06430269d3489e786f8f7806761ece7206141dfdc6ecf78fd89f8e0f4f38fec4d219868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259642634.txt

Filesize
1KB

MD5
b011a5ccca4e51edc576b73268261fdd

SHA1
4f9061ca4f8bbd9e4cc7eb5a3e64c2604fc35ec8

SHA256
db882681fdd705db25674b83a1e4b0fc29b264a195fdcdcafcc4a43877d455bc

SHA512
ad743252c21377d2e96c2a83f3d552ddf6127366891be21f050b824a742c9107a9b249e3cf7ef2d3c5d42880be6439b196958aa6ebc62c878a970bdeec892d67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
708293983584450051bc14ce03d4ebe1

SHA1
8b151be40a3ce8cd9f1ba24dcb2e3c777aad00ab

SHA256
ecbd95e276a7df2e61c90f8e11b45b302deb6a3e750ffc3210ed5fbe406dfab4

SHA512
bba1815cb14f9d3a2d9660ee09ae619ca1bd07cb18037ece1b5e59b36b563522ae9ae7ce7828826e25169c61c94aa2b1d760d26636fe0c77c4a3783e975a325c

Download Submit
C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs

Filesize
2KB

MD5
4ab3e87d9d3e6cf50f9787e2085fa8c7

SHA1
5203b0409105410903b2ec612684e1c1d3c5d7c4

SHA256
4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

SHA512
c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

Download Submit
memory/1376-16-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1376-17-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2992-8-0x00000000028F0000-0x00000000028FA000-memory.dmp

Filesize
40KB

Download
memory/2992-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2992-6-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download