Analysis
-
max time kernel
146s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 13:26
Static task
static1
Behavioral task
behavioral1
Sample
Ref#130709.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Ref#130709.vbe
Resource
win10v2004-20241007-en
General
-
Target
Ref#130709.vbe
-
Size
10KB
-
MD5
cf567f1369e0a7b9d18a06ef67df6877
-
SHA1
e007346258255d739beeefc52346a239f8818c5c
-
SHA256
b7afcdd36c30b9be80b532b7f9510a50eedef13d26f88385bb94a7e31ea061d6
-
SHA512
419f209fa202c6e1cd0b558f7a8277a43408c19a14e76dbd31d70a8b2e9c522217fe2edda1bdb4e6fae7af96b9a53c1893bc260053fdfc65e3a60c8423be9d97
-
SSDEEP
192:v9iw0wLDaKbUcQKbwXDHo3EvWzm9/1q25cBMRPjvA5MGVK:H0wLuKbUcQewWzs/c2Wa+8
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid Process 2 2872 WScript.exe -
Drops file in System32 directory 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 2756 powershell.exe 2756 powershell.exe 272 powershell.exe 272 powershell.exe 2104 powershell.exe 2104 powershell.exe 3032 powershell.exe 3032 powershell.exe 2892 powershell.exe 2892 powershell.exe 612 powershell.exe 612 powershell.exe 1780 powershell.exe 1780 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 272 powershell.exe Token: SeDebugPrivilege 2104 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 612 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process procid_target PID 2680 wrote to memory of 2572 2680 taskeng.exe 31 PID 2680 wrote to memory of 2572 2680 taskeng.exe 31 PID 2680 wrote to memory of 2572 2680 taskeng.exe 31 PID 2572 wrote to memory of 2756 2572 WScript.exe 33 PID 2572 wrote to memory of 2756 2572 WScript.exe 33 PID 2572 wrote to memory of 2756 2572 WScript.exe 33 PID 2756 wrote to memory of 2976 2756 powershell.exe 35 PID 2756 wrote to memory of 2976 2756 powershell.exe 35 PID 2756 wrote to memory of 2976 2756 powershell.exe 35 PID 2572 wrote to memory of 272 2572 WScript.exe 36 PID 2572 wrote to memory of 272 2572 WScript.exe 36 PID 2572 wrote to memory of 272 2572 WScript.exe 36 PID 272 wrote to memory of 1148 272 powershell.exe 38 PID 272 wrote to memory of 1148 272 powershell.exe 38 PID 272 wrote to memory of 1148 272 powershell.exe 38 PID 2572 wrote to memory of 2104 2572 WScript.exe 39 PID 2572 wrote to memory of 2104 2572 WScript.exe 39 PID 2572 wrote to memory of 2104 2572 WScript.exe 39 PID 2104 wrote to memory of 2912 2104 powershell.exe 41 PID 2104 wrote to memory of 2912 2104 powershell.exe 41 PID 2104 wrote to memory of 2912 2104 powershell.exe 41 PID 2572 wrote to memory of 3032 2572 WScript.exe 42 PID 2572 wrote to memory of 3032 2572 WScript.exe 42 PID 2572 wrote to memory of 3032 2572 WScript.exe 42 PID 3032 wrote to memory of 2472 3032 powershell.exe 44 PID 3032 wrote to memory of 2472 3032 powershell.exe 44 PID 3032 wrote to memory of 2472 3032 powershell.exe 44 PID 2572 wrote to memory of 2892 2572 WScript.exe 46 PID 2572 wrote to memory of 2892 2572 WScript.exe 46 PID 2572 wrote to memory of 2892 2572 WScript.exe 46 PID 2892 wrote to memory of 2288 2892 powershell.exe 48 PID 2892 wrote to memory of 2288 2892 powershell.exe 48 PID 2892 wrote to memory of 2288 2892 powershell.exe 48 PID 2572 wrote to memory of 612 2572 WScript.exe 49 PID 2572 wrote to memory of 612 2572 WScript.exe 49 PID 2572 wrote to memory of 612 2572 WScript.exe 49 PID 612 wrote to memory of 2172 612 powershell.exe 51 PID 612 wrote to memory of 2172 612 powershell.exe 51 PID 612 wrote to memory of 2172 612 powershell.exe 51 PID 2572 wrote to memory of 1780 2572 WScript.exe 52 PID 2572 wrote to memory of 1780 2572 WScript.exe 52 PID 2572 wrote to memory of 1780 2572 WScript.exe 52 PID 1780 wrote to memory of 2784 1780 powershell.exe 54 PID 1780 wrote to memory of 2784 1780 powershell.exe 54 PID 1780 wrote to memory of 2784 1780 powershell.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref#130709.vbe"1⤵
- Blocklisted process makes network request
PID:2872
-
C:\Windows\system32\taskeng.exetaskeng.exe {5CB1849C-7691-4AD8-8ADF-75A6607870DC} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\gMBlGsAXoyfBvsA.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2756" "1240"4⤵PID:2976
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "272" "1244"4⤵PID:1148
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2104" "1236"4⤵PID:2912
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "3032" "1244"4⤵PID:2472
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "2892" "1236"4⤵PID:2288
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "612" "1240"4⤵PID:2172
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1780" "1244"4⤵PID:2784
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD571a7a78b46be63b637bccbd6789ffd2c
SHA11d192cc17c16de1c951a04d8e38b61409c66255d
SHA256ff1978b24d1d4d9516ba55633b059d1b0d137fbae1878fd8e943fffa4d6f434c
SHA512b0e5bb1274d783ecfa16745e77998f8bba629e7b849aad670e90b8a44008968a156a3231ff754fafbadaeeac85c79d8d7a417d39e3debb6421b2b1d16526c483
-
Filesize
1KB
MD533786fb2a6be5f6bfee1d64611e005e1
SHA18ccf8899b2797d64129d5b2056ef2a628d263d07
SHA25653534c56c1e8e61fc934284f156e792813d7161a43e2f813d5b0f599976d9ade
SHA5125acad5e47617445bad8bbc19c06f4d30290017a64aa134777faef33759e8871d7dad923397cc7debfd78c921eeace1d98319b6075b2f288dcfe6581154d00b0e
-
Filesize
1KB
MD55eb39ba056aba1eaf37f1e8d94bb8f6e
SHA1763a13f18e1a015d0132c8ea3fefc1532260b870
SHA256e02ae2f118f0043118b95010aa5eb60dd3de68a60488f8af2224350602235142
SHA512508e473b931ed3e4c5d8c2822ab8425ce0be05d7d7c39cc578ec561912fc00585ea644b262672d98e6057cd251417693099cc0e79fbb44cc597dd0218548a104
-
Filesize
1KB
MD50eafbd4df28e1ad863635628cebb9e53
SHA148f230417c87f5f7b419b87e831625e201db6e60
SHA25677e2ad941bf65f96a19f6411cdc12c41facbf0386fb0f6cfb3c4c149aa8554ce
SHA512780b4669e16e3d914a3ec8d2e4fe76ea91e4481628626c7d1e9b2bd2d4c1a6cdfc36ffc20d08715537e0243dc42f2b69801374ab18990d97519df3e1694c3b53
-
Filesize
1KB
MD57c0dba3905eb74d08548b2d13af41c49
SHA18e2a12d94c49d611c8d9f90b2de7065d21eb33a2
SHA256c502e22281ce9b7fa15de29dc522a0d709f3a2343474a3cb55bfed04c90d6b5c
SHA51210a3056cbc1d5529fdddfbb6a192e3b9745659bc28a758a48c80435c1512f8a8a6691773b41afc19c2faf1acf8badafc6070d6d9641acb1b17d4c82976447db3
-
Filesize
1KB
MD594fd26b0ea30b20ec8728208b489c49a
SHA1cc79a4dbacc83caa08e2bb28aa0eddd3ddbba83e
SHA25633886bec34b4df5aaa92a7abd0dd13239168ba49dffb27bb621adede2df6ae8d
SHA512e28e0517eea5b0862e69fbe9d5e6f2f4933c29840e2f52215c2acec52495832ce0d073e9d5fc2e1457c9a257a6dbde41d9248ebba3123c9e526dccec6b14ac1d
-
Filesize
1KB
MD5129641204ef54fc3171e62c37a62284f
SHA113d54e835883c696a17b571bfb72ec04315ed443
SHA256f7a40805dfb98d8667da5bb1fc390bc045320faaa21e35e819e0b79d2f49caf3
SHA51250399639e93d93dc8641f6dee0f500b3a4379fa69d5466688b464819cc294ee392050692df7588337c43488cab628b4deee9bc6ce3c5f739e84961cd91db7bba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c2770d25bde50dff19da4ce9f075ba77
SHA1d4af8e5d0967b1ad2e88eb27c86d080c935ea7d7
SHA256df86c0bd31e73ff1cb15ea8edf6f61cedbdce71e32c1005d59aabdfedbea6535
SHA512aef85238b128bafaf14d845ebd9b63e8aade8903d74fc1ef20923fc054d1b19ac4573f2af54982aabe045f4e7d2b03807bfb87d3377e1fa081a223d21b5a30a7
-
Filesize
1KB
MD577c5b6fe271fef2a65006abf49b4fe66
SHA1cd279263b404e2e4e2a3fb509da19c9a5f3bdcb3
SHA25678c66f29b0ade0cb644603b4bfc261b630be611ba55b902f090c94058954ec84
SHA512cf18faacf59f75d95ae8cc99555ff51b0e4963f57d12ceaeccdd97808c423713b0a34af4cee18338a44ad474a8d9abae778b1f202a511ad932521e3f0b5de140
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e