4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d.vbe
Size

11KB
MD5

f2ba7d3b3cdabd02dbcccb1174088b1d
SHA1

dbc02a29b2b042af0b988c698be5be7885e127c1
SHA256

4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d
SHA512

876f7a01b9abbaaf7dff88e16a362eafa5ba13b9031c1d6cfef195b426e89c4a287c26d717320886a225d7904aca3635bf3a6a8f2286a5d89bfadb0b330da154
SSDEEP

192:lwZ1ZSTlbLJya3RGALtUtNG7YkGEY9CNsRXX1SAkt0pdzea1iGDcgjK:6rITlbz3L5UtNGWEYCNsRXX1medzL1iZ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3008	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2584	powershell.exe
2584	powershell.exe
1796	powershell.exe
1796	powershell.exe
1072	powershell.exe
1072	powershell.exe
352	powershell.exe
352	powershell.exe
1508	powershell.exe
1508	powershell.exe
2092	powershell.exe
2092	powershell.exe
1604	powershell.exe
1604	powershell.exe
1916	powershell.exe
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2808	2768	taskeng.exe	32
PID 2768 wrote to memory of 2808	2768	taskeng.exe	32
PID 2768 wrote to memory of 2808	2768	taskeng.exe	32
PID 2808 wrote to memory of 2584	2808	WScript.exe	34
PID 2808 wrote to memory of 2584	2808	WScript.exe	34
PID 2808 wrote to memory of 2584	2808	WScript.exe	34
PID 2584 wrote to memory of 2104	2584	powershell.exe	36
PID 2584 wrote to memory of 2104	2584	powershell.exe	36
PID 2584 wrote to memory of 2104	2584	powershell.exe	36
PID 2808 wrote to memory of 1796	2808	WScript.exe	37
PID 2808 wrote to memory of 1796	2808	WScript.exe	37
PID 2808 wrote to memory of 1796	2808	WScript.exe	37
PID 1796 wrote to memory of 1800	1796	powershell.exe	39
PID 1796 wrote to memory of 1800	1796	powershell.exe	39
PID 1796 wrote to memory of 1800	1796	powershell.exe	39
PID 2808 wrote to memory of 1072	2808	WScript.exe	40
PID 2808 wrote to memory of 1072	2808	WScript.exe	40
PID 2808 wrote to memory of 1072	2808	WScript.exe	40
PID 1072 wrote to memory of 2940	1072	powershell.exe	42
PID 1072 wrote to memory of 2940	1072	powershell.exe	42
PID 1072 wrote to memory of 2940	1072	powershell.exe	42
PID 2808 wrote to memory of 352	2808	WScript.exe	44
PID 2808 wrote to memory of 352	2808	WScript.exe	44
PID 2808 wrote to memory of 352	2808	WScript.exe	44
PID 352 wrote to memory of 324	352	powershell.exe	46
PID 352 wrote to memory of 324	352	powershell.exe	46
PID 352 wrote to memory of 324	352	powershell.exe	46
PID 2808 wrote to memory of 1508	2808	WScript.exe	47
PID 2808 wrote to memory of 1508	2808	WScript.exe	47
PID 2808 wrote to memory of 1508	2808	WScript.exe	47
PID 1508 wrote to memory of 1792	1508	powershell.exe	49
PID 1508 wrote to memory of 1792	1508	powershell.exe	49
PID 1508 wrote to memory of 1792	1508	powershell.exe	49
PID 2808 wrote to memory of 2092	2808	WScript.exe	50
PID 2808 wrote to memory of 2092	2808	WScript.exe	50
PID 2808 wrote to memory of 2092	2808	WScript.exe	50
PID 2092 wrote to memory of 1004	2092	powershell.exe	52
PID 2092 wrote to memory of 1004	2092	powershell.exe	52
PID 2092 wrote to memory of 1004	2092	powershell.exe	52
PID 2808 wrote to memory of 1604	2808	WScript.exe	53
PID 2808 wrote to memory of 1604	2808	WScript.exe	53
PID 2808 wrote to memory of 1604	2808	WScript.exe	53
PID 1604 wrote to memory of 2084	1604	powershell.exe	55
PID 1604 wrote to memory of 2084	1604	powershell.exe	55
PID 1604 wrote to memory of 2084	1604	powershell.exe	55
PID 2808 wrote to memory of 1916	2808	WScript.exe	56
PID 2808 wrote to memory of 1916	2808	WScript.exe	56
PID 2808 wrote to memory of 1916	2808	WScript.exe	56
PID 1916 wrote to memory of 2604	1916	powershell.exe	58
PID 1916 wrote to memory of 2604	1916	powershell.exe	58
PID 1916 wrote to memory of 2604	1916	powershell.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d89b6fc60ffaa84af321fb2120185994a22605d80d175d71c5780e753d3ec8d.vbe"
1⤵
- Blocklisted process makes network request
PID:3008

C:\Windows\system32\taskeng.exe
taskeng.exe {A9B33297-153E-4546-BC57-3480286B5EED} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2584" "1244"
      4⤵
      PID:2104
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1796" "1240"
      4⤵
      PID:1800
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1072" "1236"
      4⤵
      PID:2940
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:352
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "352" "1240"
      4⤵
      PID:324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1508" "1244"
      4⤵
      PID:1792
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2092" "1236"
      4⤵
      PID:1004
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1604" "1248"
      4⤵
      PID:2084
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1916" "1244"
      4⤵
      PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259477904.txt

Filesize
1KB

MD5
114689186044152afceaed6f7b89ce77

SHA1
eb01058486cb4270817a183c88378432d87062c6

SHA256
f0a66a58adc157a092a6a3200a7609b2cfd64ad3eb74469fbc5350b6f54f3b59

SHA512
7b1f1124ed016de894e1401bc590159a00fcb34bf4e7114dc44a1ec72552b5b4d2d77a10502c302c711279b15ebf44aaa9ce06c92698995b4a51b66214a3a66c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259494853.txt

Filesize
1KB

MD5
5c119064322eb01e76fcab3548ea5c58

SHA1
cf7b9a9a00a82432cf492ee5b55cd0921d808d3b

SHA256
28fac5b32ec75546751fe6d8f47eb012d3ce6844c17d08fd5a65f456876a07b4

SHA512
e71299612d87235806003dfa153f848894c03879c93dd5c3c7d22e8a3ff1b87b15e5a20143890fea0e4e5806b6391f66a21030536f2580573f22ec9eb04b5d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509133.txt

Filesize
1KB

MD5
b20b4895ca28ec2bc89ea6377f0114e5

SHA1
899fea23bdc2e4b905ab5457af46843fd3ec1234

SHA256
f795663078aef5a7993b66b6910e91e3836bcbf119cb5185974a7eb4f5f42cd1

SHA512
cf20159c8e1f332a5305413afc2a42e8b8debe22be777c86d1a534aff5192bcc71a5b5dc8254fe5186e93859194151d54a32bae9d75cdc0f1d52ccb317bb583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259525546.txt

Filesize
1KB

MD5
c6878491e476f62ed8a02cedd7eee9ee

SHA1
a8824f4f8e9ae7bbd57ca6799e43f39c0a21009e

SHA256
acc4fdef57de40c5e09ebd3e3e8f7e1c36dd6a5ca3936fff6775fadd4e8f98e7

SHA512
24bd210e5e224a49adfc055c6e7dd97bc16a7f5a39915c8f4a3c34db28d61826e4225f73c46eca430276a562d421f82f956114b9bfabc776e6fa4cce8270c8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259539020.txt

Filesize
1KB

MD5
d75ca6d007e15b2c53491ddc0b581732

SHA1
bbcf53102f50f78b86d191a8292092998fb3292b

SHA256
9222ba8bd5be272748db3d119ec8b2bc42e9630086c1dfca15c7c185b2944f83

SHA512
898282d4eb755b251ef0b2987cbec36a354e6e9a3802d0ad75240843f4f284a84f6819011f23a60a7ca5ff127b6b4aebd1c6e3794bf4208487a02f08e5d35e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259557608.txt

Filesize
1KB

MD5
a9dd59fa87626f943193b659792bb5b8

SHA1
a53cf3c7fb4c3907a1dea470f6c916013bfee9b7

SHA256
dcf0ce744efe297b9dca8c6f0ef49ae054d272435afd26a43636e384a8f061a0

SHA512
966b604abef05409a0deb7b9fee9b8812dcde3fc0b85ad2ef4e32375996ba8569dbb77ead31d23e5ac33c7842ed71e611a00fcc48e44eb73dbec99d5f5e34470

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570251.txt

Filesize
1KB

MD5
96c4996d2941e194f36066fbf4bf8967

SHA1
7bba8151089032eca4246deb1e267fbde3341959

SHA256
c897dab00333a274ffdd71829005830133dc213d59347380288d900dc93fe847

SHA512
6cfdcd1f0478ce770b3d129af018ebf6d800d4cc973fc24f7caf1e94a383693ed33b35a5fe8b9f496cee48d8204407f871eb12e1889141e06e8417993acd1b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584054.txt

Filesize
1KB

MD5
4cb5680c680c0ec47a9b32c28e98f584

SHA1
21b50e0fe3a48e3be43244defdf184591954e8e3

SHA256
460b183dfbb4faecd10c90c7d2b54ce316ce3d3ac24210af03648a042928fece

SHA512
1cbb6869d2938f98325c05d28e962f9430210cb596a3b01ea4276db5da54a8b0b45b04989a6d7da8bb19a733c80debcc61bff85b015895f0d59d2eb40680a962

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1c3410dd2dfa85d3669a81901a4caf51

SHA1
32e3f25218e240304e20f8b5ac84b5b8ef6132d5

SHA256
bcbab2dfccc6c420c777289869de5a016897e24bb1e24f4c9dda8e14c5f24ad3

SHA512
744e7839abb4ece944cfaaa21c9d1e427c70ae3aed0ace304125ab3e83311166fa17ad835a9e4981198416268b263a9c74b49fe18ad25dcbd90c8e9a8b7597e0

Download Submit
C:\Users\Admin\AppData\Roaming\nerIVJXTbrPkqwd.vbs

Filesize
2KB

MD5
4ab3e87d9d3e6cf50f9787e2085fa8c7

SHA1
5203b0409105410903b2ec612684e1c1d3c5d7c4

SHA256
4f42c1f4f7fb9a5813e1710b80f7841b71ee5fff65255dc20f1c8b3eba26574b

SHA512
c3999a17ac473ed314a06625bdbca4249198ba9b7e266fefe487d976021c2ca2aa7b58ffa6d89459bb4904713a1c71bcc82e3b70481a28638debc34ddee1c5fd

Download Submit
memory/1796-17-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1796-16-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2584-7-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2584-6-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2584-8-0x00000000027F0000-0x00000000027FA000-memory.dmp

Filesize
40KB

Download