eaae036429966edb9d7efcc60e7d8af4ecb0e60b668083125c64aed949753948

Resubmissions

29-10-2024 18:10

241029-wscc9axhkn 10

09-10-2024 10:24

241009-mfdacatdqb 10

Analysis

max time kernel
150s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Letter Of Intent.vbe
Size

11KB
MD5

59958a367c15cc55b0b42db533eb99a8
SHA1

06d169da811d8d0abce9280ff7fd748f125e1aff
SHA256

5a793830dc868d92331342fbca7bb5338b6014944a972960c97f7d9d3f3c66ae
SHA512

bc7fbbb16f83492876f298f98160b264150ee995871f0e2d59c5c49d703bf2f21721ca1d49d293264be798ef0da2b5ebb4f423be5ddc788d34f1369db03e546e
SSDEEP

192:kn3g3XXH2AYKtbXq1qFqpSJ7sWfqH2hmqaOdC8NhuOzWNpK:uw3XXH2aA1qFkiQWfq2mqLdCpxw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3020	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2752	powershell.exe
2752	powershell.exe
2616	powershell.exe
2616	powershell.exe
1032	powershell.exe
1032	powershell.exe
3068	powershell.exe
3068	powershell.exe
1084	powershell.exe
1084	powershell.exe
3000	powershell.exe
3000	powershell.exe
1716	powershell.exe
1716	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2788	2644	taskeng.exe	31
PID 2644 wrote to memory of 2788	2644	taskeng.exe	31
PID 2644 wrote to memory of 2788	2644	taskeng.exe	31
PID 2788 wrote to memory of 2752	2788	WScript.exe	33
PID 2788 wrote to memory of 2752	2788	WScript.exe	33
PID 2788 wrote to memory of 2752	2788	WScript.exe	33
PID 2752 wrote to memory of 2424	2752	powershell.exe	35
PID 2752 wrote to memory of 2424	2752	powershell.exe	35
PID 2752 wrote to memory of 2424	2752	powershell.exe	35
PID 2788 wrote to memory of 2616	2788	WScript.exe	36
PID 2788 wrote to memory of 2616	2788	WScript.exe	36
PID 2788 wrote to memory of 2616	2788	WScript.exe	36
PID 2616 wrote to memory of 2352	2616	powershell.exe	38
PID 2616 wrote to memory of 2352	2616	powershell.exe	38
PID 2616 wrote to memory of 2352	2616	powershell.exe	38
PID 2788 wrote to memory of 1032	2788	WScript.exe	39
PID 2788 wrote to memory of 1032	2788	WScript.exe	39
PID 2788 wrote to memory of 1032	2788	WScript.exe	39
PID 1032 wrote to memory of 2192	1032	powershell.exe	41
PID 1032 wrote to memory of 2192	1032	powershell.exe	41
PID 1032 wrote to memory of 2192	1032	powershell.exe	41
PID 2788 wrote to memory of 3068	2788	WScript.exe	42
PID 2788 wrote to memory of 3068	2788	WScript.exe	42
PID 2788 wrote to memory of 3068	2788	WScript.exe	42
PID 3068 wrote to memory of 832	3068	powershell.exe	44
PID 3068 wrote to memory of 832	3068	powershell.exe	44
PID 3068 wrote to memory of 832	3068	powershell.exe	44
PID 2788 wrote to memory of 1084	2788	WScript.exe	45
PID 2788 wrote to memory of 1084	2788	WScript.exe	45
PID 2788 wrote to memory of 1084	2788	WScript.exe	45
PID 1084 wrote to memory of 1728	1084	powershell.exe	47
PID 1084 wrote to memory of 1728	1084	powershell.exe	47
PID 1084 wrote to memory of 1728	1084	powershell.exe	47
PID 2788 wrote to memory of 3000	2788	WScript.exe	48
PID 2788 wrote to memory of 3000	2788	WScript.exe	48
PID 2788 wrote to memory of 3000	2788	WScript.exe	48
PID 3000 wrote to memory of 2264	3000	powershell.exe	50
PID 3000 wrote to memory of 2264	3000	powershell.exe	50
PID 3000 wrote to memory of 2264	3000	powershell.exe	50
PID 2788 wrote to memory of 1716	2788	WScript.exe	51
PID 2788 wrote to memory of 1716	2788	WScript.exe	51
PID 2788 wrote to memory of 1716	2788	WScript.exe	51
PID 1716 wrote to memory of 2320	1716	powershell.exe	53
PID 1716 wrote to memory of 2320	1716	powershell.exe	53
PID 1716 wrote to memory of 2320	1716	powershell.exe	53
PID 2788 wrote to memory of 2976	2788	WScript.exe	54
PID 2788 wrote to memory of 2976	2788	WScript.exe	54
PID 2788 wrote to memory of 2976	2788	WScript.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Letter Of Intent.vbe"
1⤵
- Blocklisted process makes network request
PID:3020

C:\Windows\system32\taskeng.exe
taskeng.exe {314A0D09-0712-4239-940B-BE91E75C0FDE} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\raeljTgEWGjaGRB.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2752" "1260"
      4⤵
      PID:2424
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2616" "1256"
      4⤵
      PID:2352
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1032" "1248"
      4⤵
      PID:2192
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3068" "1248"
      4⤵
      PID:832
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1084" "1256"
      4⤵
      PID:1728
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3000" "1248"
      4⤵
      PID:2264
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1716" "1248"
      4⤵
      PID:2320
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259541527.txt

Filesize
1KB

MD5
01de8ddeb7a6973ba6730bbeee1a435a

SHA1
936389ce277484cdef1e176a952ff37f11c673d7

SHA256
0f495dbb67fcca195bd3e6e2c40d4e0ae6924fd42607baa0cfb02a3131000b0d

SHA512
8d7d656e3a114819b1c05346c9bf82e7e17e88e2eb312aadf417cdc768c8c901ca7a1221c409f1566a884b31b13b480cb591ad11f309937ce7baa7365fb2752c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259551317.txt

Filesize
1KB

MD5
90e2ed523511804f85bd00d2edaca159

SHA1
892bed024de1615c8bfd8909d486525443f8dded

SHA256
d89baf2be18369dd5521ecd95c44e56f48a76f7b5d5bf93beabfc5594ebe76d8

SHA512
28151d6af13a3017326d61ce43164da38def2e53c1d0cfcea8a8acbff7d6148599d000332a9929f9f5363642ad9c87119d8ee3f89976ae38750cda5e85a37c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259569301.txt

Filesize
1KB

MD5
0ee4cb8fdbc22388df6d5effe3d60835

SHA1
1d31a07165fc2be11a0aaf352fd284f96e9872ae

SHA256
0cff1d40bf9dc3a8d08d5097848ccc303d9414f91d744432eaba7d3f22f4a85b

SHA512
93f9d90d5ea3595c8f6b1e48b67e56d1afc69756f2532337e9e89dfdd62fe3e1401bcf46829b76f9c5b132dfcc4a22ce9a0bcfd960de1db6163ffa01f4d146ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259581418.txt

Filesize
1KB

MD5
47b9ab5fa30f31e5765f8981d1d860ea

SHA1
0649c869aaa1516f009ef37a31332f231710c630

SHA256
0d5922c272629706d93334c1738b19dbd5f403a9ff6c5e66db927b43cedace48

SHA512
46697dff4bc81353bccbd3a9d81c46ad8c3d1fa08adeb5a6f266a4c2d8e162420dd63a024833b131ef3a87a01f83de9244c8f118ad3a81045231990be5d27bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259599514.txt

Filesize
1KB

MD5
0b4d9327ce2f0c98d64c7753afa25b49

SHA1
41d0195f7b3d9d8410b2134ca2f3b77393c28beb

SHA256
97767fad654bff7e34181887c7a4e1db329e2efd03892b09d9949cfd0ba94d24

SHA512
2d3c66e8d343b30832d80e9d6d4c53894ef0b48f26e44be260970ac37baa977d8c9fe34b4f64459eefa73e51abb08647c69e78f48ba394fc99d10d33ce0cfa32

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259615892.txt

Filesize
1KB

MD5
46232eb00af2fa860381ecc632439ae6

SHA1
406fa1fb2a97d73edfa88e568ab885a0071d43f9

SHA256
f39437ab4315f0bbb0520179b56195a2be318f234dc041f189450219db7e6a76

SHA512
abd22d5e73bf161e87f460e071696aacf125ed0011912871945eee3f327a754defc37ab4ecf89d84bee5e0ba755988747f9ad65f307113b57636a6669db31a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259629806.txt

Filesize
1KB

MD5
bf36086960d66b1646802de8a2077b33

SHA1
05656645d939da814079bb39222824bcb9e37b35

SHA256
07bbfdb8552af222da30626ea2638fd97fb60b303a3777866b68e610a3138938

SHA512
c8240e9f5fb182e92e66ebedcef10abf4a7387d9915c027c7840f7363b617ebe84f5289f0c992273a6cba0deed37dc9b770b7406361747539909852d53f8d5b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2747bf384bf02a104ab40f9684d2d48d

SHA1
c00d99b811b2c7c3d85b6ad3460a1a933a75a5dd

SHA256
7cd2af8123c74e4ffe26261bdebc16897c5cd116a245d0e066d8a0cda6409477

SHA512
dbc2394f471b5b706f5fe00d26b3c89bab7857e6fd155ebcfb22ffac87aa96269cd6fad9ad5e1d8580412120a97a4314c5272319c9d9f7e303a4512c77159a93

Download Submit
C:\Users\Admin\AppData\Roaming\raeljTgEWGjaGRB.vbs

Filesize
2KB

MD5
8384daa670f00cf4c9496f2d12d9b8f6

SHA1
e419e19ca81b413db0c32a571f53fcaf281dfb8f

SHA256
6393535545043090f4d6a7fb15c2bfd37eab1a1059a2af20eabb88263443d545

SHA512
36e76e832545004f0c571954cff28aba32d18b8fe27bf83e103a62454c1e585728d47526db7a63ccc5b0496f18f8770ff467137b7a958207a96a5b8df60a4838

Download Submit
memory/2616-16-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2616-17-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2752-8-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2752-7-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2752-6-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download