31c409ec86ac6e73be5f6732ce850313111c9b41dafeb1a06e63e82c408da79d

Analysis

max time kernel
145s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref#501032.vbe
Size

10KB
MD5

86ff8bd6d9735bf01c8f6189f4ad1002
SHA1

d6c3a4c31b8be503380490454ff2e5d8a8d65d9e
SHA256

31c409ec86ac6e73be5f6732ce850313111c9b41dafeb1a06e63e82c408da79d
SHA512

b658e1764d8e42c3d670f22593bbb6ad9a5ef2177ba1668ee009859a80023718cc173d6b3a801198742f392170dddd4bd85fb94ef0cceec225b9d6c6557fb73f
SSDEEP

192:9h1VLVXWk2P9VDxvTNjYAYFPKf7zXnGD7XbmcDXMpekKiK:jRWfPNxjYAy67zXnq3mJpG

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1728	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2640	powershell.exe
2640	powershell.exe
692	powershell.exe
692	powershell.exe
2388	powershell.exe
2388	powershell.exe
900	powershell.exe
900	powershell.exe
1484	powershell.exe
1484	powershell.exe
1980	powershell.exe
1980	powershell.exe
1892	powershell.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2216	2628	taskeng.exe	32
PID 2628 wrote to memory of 2216	2628	taskeng.exe	32
PID 2628 wrote to memory of 2216	2628	taskeng.exe	32
PID 2216 wrote to memory of 2640	2216	WScript.exe	34
PID 2216 wrote to memory of 2640	2216	WScript.exe	34
PID 2216 wrote to memory of 2640	2216	WScript.exe	34
PID 2640 wrote to memory of 612	2640	powershell.exe	36
PID 2640 wrote to memory of 612	2640	powershell.exe	36
PID 2640 wrote to memory of 612	2640	powershell.exe	36
PID 2216 wrote to memory of 692	2216	WScript.exe	37
PID 2216 wrote to memory of 692	2216	WScript.exe	37
PID 2216 wrote to memory of 692	2216	WScript.exe	37
PID 692 wrote to memory of 3040	692	powershell.exe	39
PID 692 wrote to memory of 3040	692	powershell.exe	39
PID 692 wrote to memory of 3040	692	powershell.exe	39
PID 2216 wrote to memory of 2388	2216	WScript.exe	40
PID 2216 wrote to memory of 2388	2216	WScript.exe	40
PID 2216 wrote to memory of 2388	2216	WScript.exe	40
PID 2388 wrote to memory of 1208	2388	powershell.exe	42
PID 2388 wrote to memory of 1208	2388	powershell.exe	42
PID 2388 wrote to memory of 1208	2388	powershell.exe	42
PID 2216 wrote to memory of 900	2216	WScript.exe	43
PID 2216 wrote to memory of 900	2216	WScript.exe	43
PID 2216 wrote to memory of 900	2216	WScript.exe	43
PID 900 wrote to memory of 952	900	powershell.exe	45
PID 900 wrote to memory of 952	900	powershell.exe	45
PID 900 wrote to memory of 952	900	powershell.exe	45
PID 2216 wrote to memory of 1484	2216	WScript.exe	46
PID 2216 wrote to memory of 1484	2216	WScript.exe	46
PID 2216 wrote to memory of 1484	2216	WScript.exe	46
PID 1484 wrote to memory of 2240	1484	powershell.exe	48
PID 1484 wrote to memory of 2240	1484	powershell.exe	48
PID 1484 wrote to memory of 2240	1484	powershell.exe	48
PID 2216 wrote to memory of 1980	2216	WScript.exe	49
PID 2216 wrote to memory of 1980	2216	WScript.exe	49
PID 2216 wrote to memory of 1980	2216	WScript.exe	49
PID 1980 wrote to memory of 2524	1980	powershell.exe	51
PID 1980 wrote to memory of 2524	1980	powershell.exe	51
PID 1980 wrote to memory of 2524	1980	powershell.exe	51
PID 2216 wrote to memory of 1892	2216	WScript.exe	52
PID 2216 wrote to memory of 1892	2216	WScript.exe	52
PID 2216 wrote to memory of 1892	2216	WScript.exe	52
PID 1892 wrote to memory of 2296	1892	powershell.exe	54
PID 1892 wrote to memory of 2296	1892	powershell.exe	54
PID 1892 wrote to memory of 2296	1892	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref#501032.vbe"
1⤵
- Blocklisted process makes network request
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {6733A23A-A4B0-4A09-8E9B-D9AC9967A74B} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\uJHOGUVWBtxyMGu.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2640" "1244"
      4⤵
      PID:612
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "692" "1236"
      4⤵
      PID:3040
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2388" "1240"
      4⤵
      PID:1208
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "900" "1240"
      4⤵
      PID:952
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1484" "1240"
      4⤵
      PID:2240
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1980" "1248"
      4⤵
      PID:2524
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1892" "1240"
      4⤵
      PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259481997.txt

Filesize
1KB

MD5
e0b22a6e3f8586264b2e4f6a543554d6

SHA1
a0a3f3c19c729a6a7a44f6b5f3a43281b55dca1f

SHA256
a4ccd5b178495c667fe168e7d17aced39b7c81de9588816d0b5578e7c2275026

SHA512
c3f206f48f45749b24e433478ea7046c700c016ac842597c3bd6dec4dc36f2e3f472f44a0bd0b763b4b5f470f082a0fc0bfeaab1de0cc712231c9c8b126c5ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259498283.txt

Filesize
1KB

MD5
d9e4829082c761d83b65781fdc1e1bf7

SHA1
eab91c9f211c5c76f51f936ca432446ee9c10976

SHA256
967023602141e4de75aa7138fc1baea4ed04f035f67d12f73d42ce51f2e4643a

SHA512
80717db0198a583ff39eae3c2c30e2c016bdbc30ec23390df0c7496df21829da3d4d5a67d5117e495117887bd9d867a71e8e9a4af911dc4ac677420ca65b4d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259512018.txt

Filesize
1KB

MD5
84e5f98236f23655b39159797f88ad3b

SHA1
312be0933b60404ccf89632435ada4a4545fed5b

SHA256
397eaed3da4559b26a8581d9140477f1703c1ca263562c06c15bee7c88b1f6d5

SHA512
fd9c4ee85a2cdb7098443e4b4c9aba24942eda22d9f5841488f9d594d930a1b6c0f7c7dfbacdb104235744b9f9444f419581d05d7c2e14763bc4c421908ad963

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259528843.txt

Filesize
1KB

MD5
aa7059940980a1470cdbc3e5d688eed4

SHA1
fb7608aa08d7df998f62597111bb6d365c44a17a

SHA256
56387f1738b5aa4bf3342a134117a448c75ca4c4082ca66cac550dccb2f7a069

SHA512
4537690e57818c6498165e59530a355b1b795ebfe7e78c15c11dc9f7e154ca7d7e7050fb0e4b2fde2797ad5838392f7ba2955f8f4898fc70ca8a602a4fb02c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259543631.txt

Filesize
1KB

MD5
0cef54828ff26312190e0ee9c88e7a8b

SHA1
182a0211b294e3e8064f64bf4216f868ee3b8d6c

SHA256
7ad798df8b4ab8f16e9d06c2ae17005f4eb47abfeb59e8a002ce2b3c6385b82f

SHA512
fe0543639f198a41889cf2a2025e308adcfe6ccbff6bf0b119e28c784626b672ef1aaade1ccead85b73a45e9f90c49161c4e1dda5973fc049f7791c93fb2c1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259560785.txt

Filesize
1KB

MD5
331281a824d801d4bfa9c8576d2cb5fd

SHA1
be753254ae991789b1698c4985a00901aa930771

SHA256
664b42e544e6cc15849be04bee37856cb707b8ef1e2ad7b0327193908f8be072

SHA512
0055daa108d753b1d3b93fc96f6ecb11f0bf0597ac39c5e71a532f0ab1f1215bd5b28e093f19efe3d62668844aae7775c45315af838a872eef6a9f82421158cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259574018.txt

Filesize
1KB

MD5
29c49d950beac00a3288dd53d9cd4042

SHA1
0479589f8c3d0b56695d27006fba6fa6fb7c97e1

SHA256
7adf716fd735056efc03ea044e2b513c62973ca21bf5c99c84f390a79499b040

SHA512
1ee758f1b8809f9cd31ae674b1b6da53c8e549bfac80b1124af169dc0418d52776d80253f9bfc6e4d730f0a4b5de82da6cde37ff91bd858de1512ac47d19698f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
251d4654a1b8702045c25856b7ff6df1

SHA1
2d8f0f5114f08139dbb3fe33e6fb892a915393cc

SHA256
cbb4a38a10d1a93588fa6bf588c13a5ade63b829ea0bc0d9c41ec01a73d65b39

SHA512
6fe20224f3abc180ba77b74a2325ca6b94d8a2d2aaf41c5c90e731f382faa283dcef5a5a4e5bfed20f8e0e094e7e6eedcb98f72b7f6f5545357dbe467763abbf

Download Submit
C:\Users\Admin\AppData\Roaming\uJHOGUVWBtxyMGu.vbs

Filesize
1KB

MD5
0557412072671735614bf19c31382132

SHA1
11c65d1406215f219c2e056cf2a9cb86dfd52f9f

SHA256
67d7275a537656f5ac774067fafb36c3655c67d9b1ebecd1c399dcfcf5e4f6e2

SHA512
98731a92919d7d978d6731567474cecd739cbf3b3f758737fca6f2927861fd4f71cdae2ea764f306db130671ae54b83bc6b7c9b3ab7b16fa86d2ff371c6e6619

Download Submit
memory/692-16-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/692-17-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/2640-8-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/2640-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2640-6-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download