eaae036429966edb9d7efcc60e7d8af4ecb0e60b668083125c64aed949753948

Resubmissions

29/10/2024, 18:10

241029-wscc9axhkn 10

09/10/2024, 10:24

241009-mfdacatdqb 10

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29/10/2024, 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Letter Of Intent.vbe
Size

11KB
MD5

59958a367c15cc55b0b42db533eb99a8
SHA1

06d169da811d8d0abce9280ff7fd748f125e1aff
SHA256

5a793830dc868d92331342fbca7bb5338b6014944a972960c97f7d9d3f3c66ae
SHA512

bc7fbbb16f83492876f298f98160b264150ee995871f0e2d59c5c49d703bf2f21721ca1d49d293264be798ef0da2b5ebb4f423be5ddc788d34f1369db03e546e
SSDEEP

192:kn3g3XXH2AYKtbXq1qFqpSJ7sWfqH2hmqaOdC8NhuOzWNpK:uw3XXH2aA1qFkiQWfq2mqLdCpxw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	1728	WScript.exe
3	1728	WScript.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2596	powershell.exe
2596	powershell.exe
2944	powershell.exe
2944	powershell.exe
2908	powershell.exe
2908	powershell.exe
2200	powershell.exe
2200	powershell.exe
2204	powershell.exe
2204	powershell.exe
600	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2876	2720	taskeng.exe	32
PID 2720 wrote to memory of 2876	2720	taskeng.exe	32
PID 2720 wrote to memory of 2876	2720	taskeng.exe	32
PID 2876 wrote to memory of 2596	2876	WScript.exe	34
PID 2876 wrote to memory of 2596	2876	WScript.exe	34
PID 2876 wrote to memory of 2596	2876	WScript.exe	34
PID 2596 wrote to memory of 1912	2596	powershell.exe	36
PID 2596 wrote to memory of 1912	2596	powershell.exe	36
PID 2596 wrote to memory of 1912	2596	powershell.exe	36
PID 2876 wrote to memory of 2944	2876	WScript.exe	37
PID 2876 wrote to memory of 2944	2876	WScript.exe	37
PID 2876 wrote to memory of 2944	2876	WScript.exe	37
PID 2944 wrote to memory of 944	2944	powershell.exe	39
PID 2944 wrote to memory of 944	2944	powershell.exe	39
PID 2944 wrote to memory of 944	2944	powershell.exe	39
PID 2876 wrote to memory of 2908	2876	WScript.exe	40
PID 2876 wrote to memory of 2908	2876	WScript.exe	40
PID 2876 wrote to memory of 2908	2876	WScript.exe	40
PID 2908 wrote to memory of 516	2908	powershell.exe	42
PID 2908 wrote to memory of 516	2908	powershell.exe	42
PID 2908 wrote to memory of 516	2908	powershell.exe	42
PID 2876 wrote to memory of 2200	2876	WScript.exe	44
PID 2876 wrote to memory of 2200	2876	WScript.exe	44
PID 2876 wrote to memory of 2200	2876	WScript.exe	44
PID 2200 wrote to memory of 2208	2200	powershell.exe	46
PID 2200 wrote to memory of 2208	2200	powershell.exe	46
PID 2200 wrote to memory of 2208	2200	powershell.exe	46
PID 2876 wrote to memory of 2204	2876	WScript.exe	47
PID 2876 wrote to memory of 2204	2876	WScript.exe	47
PID 2876 wrote to memory of 2204	2876	WScript.exe	47
PID 2204 wrote to memory of 1796	2204	powershell.exe	49
PID 2204 wrote to memory of 1796	2204	powershell.exe	49
PID 2204 wrote to memory of 1796	2204	powershell.exe	49
PID 2876 wrote to memory of 600	2876	WScript.exe	50
PID 2876 wrote to memory of 600	2876	WScript.exe	50
PID 2876 wrote to memory of 600	2876	WScript.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Letter Of Intent.vbe"
1⤵
- Blocklisted process makes network request
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {E13DE698-6458-4151-A5F9-8083F0A54F71} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\raeljTgEWGjaGRB.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2596" "1248"
      4⤵
      PID:1912
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2944" "1252"
      4⤵
      PID:944
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2908" "1244"
      4⤵
      PID:516
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2200" "1252"
      4⤵
      PID:2208
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2204" "1256"
      4⤵
      PID:1796
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:600
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "600" "1244"
      4⤵
      PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259533587.txt

Filesize
1KB

MD5
95a1e4d8ac1783d1709e7e9db9db5a05

SHA1
c738060d77f5d89b374f118b1bfef433bfa7d857

SHA256
59bf1a305c293517a922d88fadb1b1e5de470a0916f16d5517c16d4197bde690

SHA512
15bb5e56fe3f435057e1f7059186b8da75af34fa7d75ca3ecbbcd8efcde71b868fed20106601670394ad3f4790186ac3e0a5dd240e77df40d0c1c0eedf976e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259544796.txt

Filesize
1KB

MD5
f8ffd9b2bebd2bae6975784f928b4240

SHA1
70f508553e0855335c48dd3c2b8bbe8b86222346

SHA256
c943643fcb08b0c42f63d42b1ec1e4d5cf2f2a7d6700c0ce61062913fff2ace2

SHA512
a39586eb07bf27a0e7ca85d35b004e0294bb0ff385046dd19e8d1fc4d9a6540c2883441a09b12b57ba1606eeceff0280e65a1804689a9dbdf9e646f7d1a8deeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259562943.txt

Filesize
1KB

MD5
80c509d798a3766b03c4edeaf952cd72

SHA1
f15d927b6aa4d38897ef4a2e7bab788972c54113

SHA256
e43cc7b748c1845a83db94585306782fbd10f54401efa80d4c529aa90a850175

SHA512
c10f1ab2109d464265ee877f7d6c040e89d737cc6dca6f1317c3a7f676b568f86263646803c635bebc5768adf657e8bc501e3d85485d8024e021c5cd102d0351

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259578996.txt

Filesize
1KB

MD5
c61a2f9a00af0fd2a554a8a680bfe620

SHA1
45083df6de0cbc01708a4e6695ff56ac650021b6

SHA256
59fe5d3409dff8071ea5f058829809606606526791702d76cd4cfe20751d995d

SHA512
b44b239df0aa6718c9aab4fdba19d201b83c89d3ec56d96a3491aa29d0d725fec8cd6fb024f72ff7b37de33074ebcce9ecd4e9170ecc2ef4a0d02f17c18acffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259594318.txt

Filesize
1KB

MD5
0cddd0e04eca580cd46d240d9668f5b4

SHA1
56fe4eb7855c8b1ed094dbe906899308e24f5f54

SHA256
5c4df08f99e2a91d0bf4995b74887aee041f67001b5455d88cb9673bd2f8fdf6

SHA512
57c5d1c8c806a51bf4d6783bc97740fbfe2947094ff16b5feb78dd31082e8a1f2434a9e359a0f36e78a1f24a9f5d96305aeaa93c76f4a026c27b28a8a5a4a2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259606670.txt

Filesize
1KB

MD5
f53e0ac763827e5f999e04f7602fd610

SHA1
2bb7cc18a20eebc0c25f04333df071c270ca7b6f

SHA256
4376da0f6fd728d5ad2adc823a2895dfa2ecf1f479c5a92ffc576e6a3acc926b

SHA512
7a0bd3aace189ae18233733e2279c77db1739ec1ab758896031f437fde6f312c14f3b8bd089fbe51ab9a93a09f2f1a52bd989e649f0358d1bc514cf0eb91b999

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4128ad3bcb64c4f3ab138a5345e67e81

SHA1
12673ce9cbedbc86a4edaa356eb25a5fff439816

SHA256
4e08fee356c6eb0178547d5a74bc08c0427baed1a9281f03c5d7dfcc92508173

SHA512
44bb7e4da571b58d44c793adc66b14deb8170d258906635a5d1167c22aab1544dd6af5bd00272e5d65043637d7b4b65a8c183ae7975bb71f419c1a6c5ca1ec63

Download Submit
C:\Users\Admin\AppData\Roaming\raeljTgEWGjaGRB.vbs

Filesize
2KB

MD5
8384daa670f00cf4c9496f2d12d9b8f6

SHA1
e419e19ca81b413db0c32a571f53fcaf281dfb8f

SHA256
6393535545043090f4d6a7fb15c2bfd37eab1a1059a2af20eabb88263443d545

SHA512
36e76e832545004f0c571954cff28aba32d18b8fe27bf83e103a62454c1e585728d47526db7a63ccc5b0496f18f8770ff467137b7a958207a96a5b8df60a4838

Download Submit
memory/2596-8-0x00000000025B0000-0x00000000025B8000-memory.dmp

Filesize
32KB

Download
memory/2596-7-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2596-6-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/2944-17-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2944-16-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download