Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 14:26

General

  • Target

    SWIFTCOPY202973783.vbe

  • Size

    10KB

  • MD5

    254471760724bb645f41689c3bdc6dac

  • SHA1

    ceda7f23ac91b4af194c758b3c6e5b9100766da4

  • SHA256

    ef670fb4793463bc81ae7f07fc809bab0962fec614a3fef3bc779a4a382c2eae

  • SHA512

    f18fad6ae29adb4fca5b4b1a3d525062f955bc94ec89d4d913e6b0d802838ed428ecfdc42c18ae8950814889d0636bb47598236163e2a138dea8062431a04867

  • SSDEEP

    192:7QiwcCrwQiaIf536yhD1uFyQ3NvR13N1QZd9N0FK:2c+wQhQ53ZD8Fj3tRVN1M/NF

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SWIFTCOPY202973783.vbe"
    1⤵
    • Blocklisted process makes network request
    PID:1960
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0A6A1468-CA22-402D-A2E8-4983C2566402} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\LPFpWIHXbpdnRBc.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2596
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "2596" "1240"
          4⤵
            PID:2692
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\system32\wermgr.exe
            "C:\Windows\system32\wermgr.exe" "-outproc" "1732" "1244"
            4⤵
              PID:1912
          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
            3⤵
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "1144" "1244"
              4⤵
                PID:2892
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2932
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "2932" "1236"
                4⤵
                  PID:1504
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                3⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1084
                • C:\Windows\system32\wermgr.exe
                  "C:\Windows\system32\wermgr.exe" "-outproc" "1084" "1240"
                  4⤵
                    PID:900
                • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1032
                  • C:\Windows\system32\wermgr.exe
                    "C:\Windows\system32\wermgr.exe" "-outproc" "1032" "1240"
                    4⤵
                      PID:2396
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1796
              • C:\Program Files\VideoLAN\VLC\vlc.exe
                "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchRestart.wmv"
                1⤵
                • Suspicious behavior: AddClipboardFormatListener
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                PID:2656

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259491269.txt

                Filesize

                1KB

                MD5

                b13bfb6f5bc4d46b6ac7b6f365c523f1

                SHA1

                c68c153e5639873edeafe4ecf1aa64e238c7a1cb

                SHA256

                770f78f437d2d6a8c43aef9ce396e5cf8db7252c9ea7af94511640ac41fc37b4

                SHA512

                eb72acf78c8bc6a4c6a7c6c7e83bbcda6de61b42b4f01fc732e2730503a49b4ed51ef28762cc9924874cf795c6c00254d74005832b08d53918091bbabcabff14

              • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509678.txt

                Filesize

                1KB

                MD5

                939ca7083f6dfc4aec857d503ad6b6ca

                SHA1

                dcd2fc454b9ec157bd6f73f37d509c98ecced116

                SHA256

                8fe8bb06de3468537474671ec96207b230206107631413787654bae51234e3a8

                SHA512

                0521cd8737244d7b7c7f701912752c09c979bc46addbc7471306d9d54b45a9f18ef34b8f6bdeab17a2b146555beea6b0583c53e8015e85a7c3131916b2e0daa2

              • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523185.txt

                Filesize

                1KB

                MD5

                20e0b057f00973e29d2a8047a0279a72

                SHA1

                9e48e662c6fc348ae00d6454fc3ba6ef22c2c59b

                SHA256

                cfdc55c226754a8a8cfcc7391989a8fae56407f1ac844dda2aac1c2990f3eca8

                SHA512

                1f639efa1bef576e70dc295ca57513cfabd298c003448aa5be60147c709c015f8774d2c350621a680b512b6dc2e2adcf74475a87d9869f1337b575384b446792

              • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259541618.txt

                Filesize

                1KB

                MD5

                c2f3b99cf531911fab9b4b458fed9adb

                SHA1

                1912ba176308034e8238ae3b8797674c733d568a

                SHA256

                fa1e9b101c52df86fe71ba5cfbb4ab8bb4c825e3fe082633a29bcba52df8e767

                SHA512

                2bb85516ef01fdfc1e20972f09851f36f7ca61fb3be821c393ed9bc860e1e786197c6c251df39b51d64115dd44bad03588dc48e531baa269fbc438c2f5c68a16

              • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259555242.txt

                Filesize

                1KB

                MD5

                639a739d1691da27c72b302818583ff4

                SHA1

                3d37492f2b70d944031786ff89ae3cc34fb4603e

                SHA256

                1769120b4cc8d667b435128b631642621250396ffcfe99b34f663f858e9080ee

                SHA512

                b9e784bd5d2358c2b70e33770f7f8461f5121ff909c8157291f0fa413f01d6ff477c780ceb8cfbcc18bfcac2d46fb64c7240f52fa213e13a8391cf8d5705ebba

              • C:\Users\Admin\AppData\Local\Temp\OutofProcReport259568298.txt

                Filesize

                1KB

                MD5

                d44b9d8322a05081ecdbe0c4d6cce5e4

                SHA1

                478a11deb7898f2f5613a0669b06f12c0fd9c8ca

                SHA256

                0c8c9332b48f918f976652420440b0cbdacc06a3067adc03ac53365bf0e047a7

                SHA512

                2cdede9b6c5552ff14c279fcc9576b3e193b27e693b546276e27b7498a0d0c64c159e9ab42b2b6b7fc86e3f789ed48564d6c0e76783889fdb4341f00b8ec2231

              • C:\Users\Admin\AppData\Roaming\LPFpWIHXbpdnRBc.vbs

                Filesize

                1KB

                MD5

                5b12725548e7be334795090aab4c663a

                SHA1

                3f3cfaba2d7d57817d08f73b6693c7ed7c632932

                SHA256

                7ea2c1cdb0947698fcc82e9c7624c63a92d73671dd48d368a35c968a77a6cfac

                SHA512

                14ea70502134fd28f709071da5d9a1adf4fe7fc08fea5afdc22092374043219eb5bae6a8506000efbcf231bc05162ab34d2fc95015156ac3fbc84da35ab8b928

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                Filesize

                7KB

                MD5

                2573791824e3676331910ef358d5b1ed

                SHA1

                29a641bee4d06b9d21bc5bf03e467c1bbf49be03

                SHA256

                b23e743af61aa90365772b3a617f4bbe1ad387747d45821683eb69c937b00b4e

                SHA512

                6161f6ecf3e84e3192be0fb3835e59da3bdddbdc910ae8c9777eee5d8392409e0157c49c094a4b46e58c9ca44bbe3e58e771a74cabe232bfa9380f80f9f6d618

              • \??\PIPE\srvsvc

                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              • memory/1732-16-0x000000001B640000-0x000000001B922000-memory.dmp

                Filesize

                2.9MB

              • memory/1732-17-0x0000000001E80000-0x0000000001E88000-memory.dmp

                Filesize

                32KB

              • memory/2596-8-0x0000000002A60000-0x0000000002A68000-memory.dmp

                Filesize

                32KB

              • memory/2596-7-0x0000000002310000-0x0000000002318000-memory.dmp

                Filesize

                32KB

              • memory/2596-6-0x000000001B730000-0x000000001BA12000-memory.dmp

                Filesize

                2.9MB