499ff4a91d98b333bb280bf7d1112cdad8d30657c7dd8bae57f85c25b977bf1f

Analysis

max time kernel
133s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

График_отпусков_Мосэнерго_2025.vbs
Size

376B
MD5

74cc658a2ffe8c81e012cd64ffa7c671
SHA1

9a9d18e5851e54b3ac4ff2e81db35e111469bf3f
SHA256

81af5eccd733b7043d623256f01047cf4216408c090580c4f41146899c50bdd1
SHA512

063e9b977ad1043a7648d43a32eb76515e3d97a6156d4208e0feecb570367e4233ed41a757def8be927fe5856bcde513d6bf1f52e3437e84d253b098ff2a80bd

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2224	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	EXCEL.EXE
208	Microsoft.Mashup.Container.NetFX40.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	EXCEL.EXE
Token: 33	2224	EXCEL.EXE
Token: SeIncBasePriorityPrivilege	2224	EXCEL.EXE
Token: SeDebugPrivilege	208	Microsoft.Mashup.Container.NetFX40.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE
2224	EXCEL.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 208	2224	EXCEL.EXE	90
PID 2224 wrote to memory of 208	2224	EXCEL.EXE	90

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\График_отпусков_Мосэнерго_2025.vbs"
1⤵
PID:3240

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files\Microsoft Office\Root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe
  "C:\Program Files\Microsoft Office\Root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe" 6004 6008 9dbc6f0f-e1be-4d1e-a833-8543e98808f9 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/208-75-0x000002306DA80000-0x000002306DA81000-memory.dmp

Filesize
4KB

Download
memory/208-76-0x000002306DA80000-0x000002306DA81000-memory.dmp

Filesize
4KB

Download
memory/208-78-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/208-79-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/208-80-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/208-82-0x000002306DA00000-0x000002306DA08000-memory.dmp

Filesize
32KB

Download
memory/208-81-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/2224-24-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-28-0x000001A522880000-0x000001A5228DC000-memory.dmp

Filesize
368KB

Download
memory/2224-4-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/2224-6-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-5-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/2224-7-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-8-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-10-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-11-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-12-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-13-0x00007FFB15DD0000-0x00007FFB15DE0000-memory.dmp

Filesize
64KB

Download
memory/2224-9-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-14-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-15-0x00007FFB15DD0000-0x00007FFB15DE0000-memory.dmp

Filesize
64KB

Download
memory/2224-20-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-21-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-19-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-18-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-17-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-16-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-23-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-2-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/2224-25-0x000001A53ACA0000-0x000001A53AE42000-memory.dmp

Filesize
1.6MB

Download
memory/2224-26-0x000001A53D8B0000-0x000001A540310000-memory.dmp

Filesize
42.4MB

Download
memory/2224-27-0x000001A53B0F0000-0x000001A53B384000-memory.dmp

Filesize
2.6MB

Download
memory/2224-3-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/2224-29-0x000001A53B390000-0x000001A53B552000-memory.dmp

Filesize
1.8MB

Download
memory/2224-30-0x000001A522850000-0x000001A522872000-memory.dmp

Filesize
136KB

Download
memory/2224-31-0x000001A53C2F0000-0x000001A53D080000-memory.dmp

Filesize
13.6MB

Download
memory/2224-33-0x000001A5228E0000-0x000001A5228F0000-memory.dmp

Filesize
64KB

Download
memory/2224-35-0x000001A53A980000-0x000001A53A9A2000-memory.dmp

Filesize
136KB

Download
memory/2224-34-0x000001A53A970000-0x000001A53A97A000-memory.dmp

Filesize
40KB

Download
memory/2224-36-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-42-0x000001A544630000-0x000001A548946000-memory.dmp

Filesize
67.1MB

Download
memory/2224-43-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-47-0x000001A53A9B0000-0x000001A53A9D8000-memory.dmp

Filesize
160KB

Download
memory/2224-48-0x000001A53AA30000-0x000001A53AA80000-memory.dmp

Filesize
320KB

Download
memory/2224-49-0x000001A522920000-0x000001A522930000-memory.dmp

Filesize
64KB

Download
memory/2224-50-0x000001A53A9E0000-0x000001A53A9F8000-memory.dmp

Filesize
96KB

Download
memory/2224-51-0x00007FFB57E4D000-0x00007FFB57E4E000-memory.dmp

Filesize
4KB

Download
memory/2224-52-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-53-0x000001A53ABF0000-0x000001A53AC4A000-memory.dmp

Filesize
360KB

Download
memory/2224-54-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-1-0x00007FFB57E4D000-0x00007FFB57E4E000-memory.dmp

Filesize
4KB

Download
memory/2224-0-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

Filesize
64KB

Download
memory/2224-55-0x000001A53BA90000-0x000001A53BFB8000-memory.dmp

Filesize
5.2MB

Download
memory/2224-56-0x000001A53B770000-0x000001A53B86C000-memory.dmp

Filesize
1008KB

Download
memory/2224-59-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-61-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-60-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-83-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download
memory/2224-87-0x00007FFB57DB0000-0x00007FFB57FA5000-memory.dmp

Filesize
2.0MB

Download