65f3918bbabd50999d9e2fede1ab068d5b8df7019f1210bc72bda826c693c1a9

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/10/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65f3918bbabd50999d9e2fede1ab068d5b8df7019f1210bc72bda826c693c1a9.vbs
Size

24KB
MD5

27cbf4229a58f07dcd2a8a025c7d9e06
SHA1

72d1d19362e929e6e8b2c666996ead710e4ce57d
SHA256

65f3918bbabd50999d9e2fede1ab068d5b8df7019f1210bc72bda826c693c1a9
SHA512

3d42afe7b0c4e8ce6fcda3bbb05870c8a69774590e639b8ed3bf71779cbf3e762c0a4b3dd1fc5a966f413e6499c9c61242ecc0e1e63395dc278731cf06160767
SSDEEP

192:eMIPpW99qA+mDnm1A1w1FgrsyK4sezv4zHv7vXCd0nApy2OsEALWdJYHLlmpw3nq:+PyqjIP9CdAssElOkUc2DmJXM9h8HXGy

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2000	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3052	powershell.exe
3052	powershell.exe
1632	powershell.exe
1632	powershell.exe
1980	powershell.exe
1980	powershell.exe
836	powershell.exe
836	powershell.exe
1800	powershell.exe
1800	powershell.exe
1656	powershell.exe
1656	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2000	2324	WScript.exe	31
PID 2324 wrote to memory of 2000	2324	WScript.exe	31
PID 2324 wrote to memory of 2000	2324	WScript.exe	31
PID 2596 wrote to memory of 2704	2596	taskeng.exe	33
PID 2596 wrote to memory of 2704	2596	taskeng.exe	33
PID 2596 wrote to memory of 2704	2596	taskeng.exe	33
PID 2704 wrote to memory of 3052	2704	WScript.exe	35
PID 2704 wrote to memory of 3052	2704	WScript.exe	35
PID 2704 wrote to memory of 3052	2704	WScript.exe	35
PID 3052 wrote to memory of 1808	3052	powershell.exe	37
PID 3052 wrote to memory of 1808	3052	powershell.exe	37
PID 3052 wrote to memory of 1808	3052	powershell.exe	37
PID 2704 wrote to memory of 1632	2704	WScript.exe	38
PID 2704 wrote to memory of 1632	2704	WScript.exe	38
PID 2704 wrote to memory of 1632	2704	WScript.exe	38
PID 1632 wrote to memory of 1296	1632	powershell.exe	40
PID 1632 wrote to memory of 1296	1632	powershell.exe	40
PID 1632 wrote to memory of 1296	1632	powershell.exe	40
PID 2704 wrote to memory of 1980	2704	WScript.exe	41
PID 2704 wrote to memory of 1980	2704	WScript.exe	41
PID 2704 wrote to memory of 1980	2704	WScript.exe	41
PID 1980 wrote to memory of 1944	1980	powershell.exe	43
PID 1980 wrote to memory of 1944	1980	powershell.exe	43
PID 1980 wrote to memory of 1944	1980	powershell.exe	43
PID 2704 wrote to memory of 836	2704	WScript.exe	44
PID 2704 wrote to memory of 836	2704	WScript.exe	44
PID 2704 wrote to memory of 836	2704	WScript.exe	44
PID 836 wrote to memory of 1752	836	powershell.exe	46
PID 836 wrote to memory of 1752	836	powershell.exe	46
PID 836 wrote to memory of 1752	836	powershell.exe	46
PID 2704 wrote to memory of 1800	2704	WScript.exe	47
PID 2704 wrote to memory of 1800	2704	WScript.exe	47
PID 2704 wrote to memory of 1800	2704	WScript.exe	47
PID 1800 wrote to memory of 2036	1800	powershell.exe	49
PID 1800 wrote to memory of 2036	1800	powershell.exe	49
PID 1800 wrote to memory of 2036	1800	powershell.exe	49
PID 2704 wrote to memory of 1656	2704	WScript.exe	50
PID 2704 wrote to memory of 1656	2704	WScript.exe	50
PID 2704 wrote to memory of 1656	2704	WScript.exe	50
PID 1656 wrote to memory of 1588	1656	powershell.exe	52
PID 1656 wrote to memory of 1588	1656	powershell.exe	52
PID 1656 wrote to memory of 1588	1656	powershell.exe	52
PID 2704 wrote to memory of 1512	2704	WScript.exe	53
PID 2704 wrote to memory of 1512	2704	WScript.exe	53
PID 2704 wrote to memory of 1512	2704	WScript.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65f3918bbabd50999d9e2fede1ab068d5b8df7019f1210bc72bda826c693c1a9.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\restored.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:2000

C:\Windows\system32\taskeng.exe
taskeng.exe {C7EB32E3-3C38-4EAD-819A-66D33B7C6C1E} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MjRtEXpmLwgnbtg.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3052" "1240"
      4⤵
      PID:1808
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1632" "1240"
      4⤵
      PID:1296
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1980" "1240"
      4⤵
      PID:1944
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "836" "1244"
      4⤵
      PID:1752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1800" "1240"
      4⤵
      PID:2036
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1656" "1240"
      4⤵
      PID:1588
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    PID:1512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\restored.vbe

Filesize
11KB

MD5
8be88e1bc506923fe2f5508eafe18352

SHA1
b5acc8b85c25ffc811484207269602e772e97309

SHA256
0a9f0d0f9c7d23ca1774149a637c6776c90453dc9a70b00f62a8e446c20c58f8

SHA512
1555c8ff722f43431b40aefba691fcb0fcdee9349e9c622e13e62e97692127a7378083bd3b0f6fb8bb29068a62eb3b1a1e8bf0b8eb1f694a000ee4e8d47c80b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259504000.txt

Filesize
1KB

MD5
334e6baa3102579b0f244638f99cca10

SHA1
008790ac9c768266775dce1dcbdbab2ef72c77db

SHA256
e0be188f852e9371aa2f274fc30d053460f7b369b46079c2b056c087277ffc4d

SHA512
56ac37eed9fe8eb86d609b1b99c3372d06f44fe488bd1c2b85a92d4cddf6df56fb892628c9604227cdcdedd26eb919ca54146715563ae5bb80dbc7d6ffcf2572

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259518718.txt

Filesize
1KB

MD5
34b9f12b4f2871bddc9a749b80f888cd

SHA1
09fe754690860ac332ebdd6db1329c1296b90ba6

SHA256
0b9ee00eebcdd43fc2b58219aae56ecac66119711f96682b2290151dae003efa

SHA512
57fa5ea90541cc861e17a32b90723196b90ad893c24d283d5e5793968f11b5e8f5348d2adf4261eee38581647fc914e564532b0f0cafd564fb114a3adfa13620

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259536432.txt

Filesize
1KB

MD5
c49e70f5f113dc85f80db81134b742be

SHA1
06b8c18d2e590d07bf381c57b7cfc620bb954041

SHA256
3cc01bc07c60d110cf90007d57c9523a7ebf414184747e281c1484b1e84bb2d4

SHA512
dc95bb343ce740d2bb7425dcee12c7962c53edf1db81b9f7c0bc2e943dd77f8e92f4f3db889c0de17e40dd099cf36e20fd96988aa4b4ec356f01fb1ed2706711

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259551107.txt

Filesize
1KB

MD5
d5ed5425dddb0ffd9077ed456343a5f8

SHA1
794f0f41bb9c2e9bbe241335021e74e233d009c1

SHA256
7cf037ff591be4995c966fa3dce8b713c28ad01d02db01e9ec5188062ec93dac

SHA512
220af92143940a049bcbcf548a4b0b68bb20a73423f7ef835d97bfbfefdb45830f8c3ebf9ec51bde922d76f2857718714a919055909d0b23d2dc9caea2444381

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259563755.txt

Filesize
1KB

MD5
d86968573035ee9184fcfbaebbaa2395

SHA1
650bb9dec05fe79392dfd84a526d823642d5b7ff

SHA256
8828b00febd47e78f5dce888b73bdcb68566f4ccdd441aa127b75baccc5b3bd6

SHA512
d209b337e9f50a48664546adb046c478b5b79f4e3980491beb67ac83856f1cb97f7ae6038655e93387cd61ea170368aab583c48b1483e479fb3a006cb979f020

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259581146.txt

Filesize
1KB

MD5
688187ef5dad30186c55ec462318b106

SHA1
03eec1b16fc0b72a621206a37fd719307b75e8a3

SHA256
8e5ce8214f8faa85f72fc365c05f3f4b068bab0d6029def16545af08e752e4f8

SHA512
72c38ee9fbfb42b0039c353027d03132e416de69fea7abed00b04028b883629f29f00d796673bbab2f15d1f91da64bbaa56abfd45dff4d391e3a6c032cfa7ed9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f2802f98edc950d56fb9dca1ea78699c

SHA1
1cc4c406affbc4d84a2742f3722be1b4862562e4

SHA256
c9eba7451ec0491f973575ba1c9f924f76125441fda68e1688d786754318560a

SHA512
eb36241753a66ade0bf820f04c33c039caba32a008cb86aa4a91f69e84c390ae14819c0f28ef27901c30f37ca5191e7ce8530420f81977e2c3bd06ae2946ce65

Download Submit
C:\Users\Admin\AppData\Roaming\MjRtEXpmLwgnbtg.vbs

Filesize
2KB

MD5
21d42a68c7a33bd16dde0bf97f0352f4

SHA1
4ba69492895c1ddce743e10b48f43e65c5cc82cc

SHA256
afc7cc6b833fce873e88e0d87c3c72e3db59bb6c3029e83ac5b62a94eacf9ff6

SHA512
a4e7f50777b5551326154c9e27afef636171626743e8198e396614b0563076f292fe6d407e52021d65976a31cbe23d47200666762cd5c557736dca09aeaeb13b

Download Submit
memory/1632-20-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/1632-19-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/3052-11-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/3052-10-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/3052-9-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download