161157731ec2b70f5b5d2861d281fc3681b365a5c8242441a3a0772f6e5176a8

Analysis

max time kernel
138s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ref#19907600.vbe
Size

14KB
MD5

3750a9f8d705970d177e72b028cc065d
SHA1

6700bfa882d308a1e1226f7484c5709a823a8b17
SHA256

161157731ec2b70f5b5d2861d281fc3681b365a5c8242441a3a0772f6e5176a8
SHA512

504b842d778042c060618505e85cfc3cc1a541e84431f8ad4adc6c54f1a8bb5480847eff8b93f6b60ae5cbbd963e5a381fca17588a46321767d47373f73603c7
SSDEEP

384:SoARS0j0wbvwbbXM0jqN/Jt/HwxPNXkwQ0MhJ9fl:dARS0j5cbbXM0GHsPNFM/n

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2112	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2804	powershell.exe
2804	powershell.exe
2212	powershell.exe
2212	powershell.exe
628	powershell.exe
628	powershell.exe
2296	powershell.exe
2296	powershell.exe
1120	powershell.exe
1120	powershell.exe
2280	powershell.exe
2280	powershell.exe
564	powershell.exe
564	powershell.exe
2396	powershell.exe
2396	powershell.exe
2784	powershell.exe
2784	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 2756	388	taskeng.exe	32
PID 388 wrote to memory of 2756	388	taskeng.exe	32
PID 388 wrote to memory of 2756	388	taskeng.exe	32
PID 2756 wrote to memory of 2804	2756	WScript.exe	34
PID 2756 wrote to memory of 2804	2756	WScript.exe	34
PID 2756 wrote to memory of 2804	2756	WScript.exe	34
PID 2804 wrote to memory of 2612	2804	powershell.exe	36
PID 2804 wrote to memory of 2612	2804	powershell.exe	36
PID 2804 wrote to memory of 2612	2804	powershell.exe	36
PID 2756 wrote to memory of 2212	2756	WScript.exe	37
PID 2756 wrote to memory of 2212	2756	WScript.exe	37
PID 2756 wrote to memory of 2212	2756	WScript.exe	37
PID 2212 wrote to memory of 1992	2212	powershell.exe	39
PID 2212 wrote to memory of 1992	2212	powershell.exe	39
PID 2212 wrote to memory of 1992	2212	powershell.exe	39
PID 2756 wrote to memory of 628	2756	WScript.exe	40
PID 2756 wrote to memory of 628	2756	WScript.exe	40
PID 2756 wrote to memory of 628	2756	WScript.exe	40
PID 628 wrote to memory of 800	628	powershell.exe	42
PID 628 wrote to memory of 800	628	powershell.exe	42
PID 628 wrote to memory of 800	628	powershell.exe	42
PID 2756 wrote to memory of 2296	2756	WScript.exe	43
PID 2756 wrote to memory of 2296	2756	WScript.exe	43
PID 2756 wrote to memory of 2296	2756	WScript.exe	43
PID 2296 wrote to memory of 1908	2296	powershell.exe	45
PID 2296 wrote to memory of 1908	2296	powershell.exe	45
PID 2296 wrote to memory of 1908	2296	powershell.exe	45
PID 2756 wrote to memory of 1120	2756	WScript.exe	46
PID 2756 wrote to memory of 1120	2756	WScript.exe	46
PID 2756 wrote to memory of 1120	2756	WScript.exe	46
PID 1120 wrote to memory of 1792	1120	powershell.exe	48
PID 1120 wrote to memory of 1792	1120	powershell.exe	48
PID 1120 wrote to memory of 1792	1120	powershell.exe	48
PID 2756 wrote to memory of 2280	2756	WScript.exe	49
PID 2756 wrote to memory of 2280	2756	WScript.exe	49
PID 2756 wrote to memory of 2280	2756	WScript.exe	49
PID 2280 wrote to memory of 1632	2280	powershell.exe	51
PID 2280 wrote to memory of 1632	2280	powershell.exe	51
PID 2280 wrote to memory of 1632	2280	powershell.exe	51
PID 2756 wrote to memory of 564	2756	WScript.exe	52
PID 2756 wrote to memory of 564	2756	WScript.exe	52
PID 2756 wrote to memory of 564	2756	WScript.exe	52
PID 564 wrote to memory of 2356	564	powershell.exe	54
PID 564 wrote to memory of 2356	564	powershell.exe	54
PID 564 wrote to memory of 2356	564	powershell.exe	54
PID 2756 wrote to memory of 2396	2756	WScript.exe	55
PID 2756 wrote to memory of 2396	2756	WScript.exe	55
PID 2756 wrote to memory of 2396	2756	WScript.exe	55
PID 2396 wrote to memory of 2776	2396	powershell.exe	57
PID 2396 wrote to memory of 2776	2396	powershell.exe	57
PID 2396 wrote to memory of 2776	2396	powershell.exe	57
PID 2756 wrote to memory of 2784	2756	WScript.exe	58
PID 2756 wrote to memory of 2784	2756	WScript.exe	58
PID 2756 wrote to memory of 2784	2756	WScript.exe	58
PID 2784 wrote to memory of 876	2784	powershell.exe	60
PID 2784 wrote to memory of 876	2784	powershell.exe	60
PID 2784 wrote to memory of 876	2784	powershell.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ref#19907600.vbe"
1⤵
- Blocklisted process makes network request
PID:2112

C:\Windows\system32\taskeng.exe
taskeng.exe {4C38B835-A731-4591-A5B4-3D60624D789B} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\QedtvilYWZEimQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2804" "1244"
      4⤵
      PID:2612
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2212" "1248"
      4⤵
      PID:1992
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "628" "1176"
      4⤵
      PID:800
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2296" "1236"
      4⤵
      PID:1908
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1120" "1232"
      4⤵
      PID:1792
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2280" "1244"
      4⤵
      PID:1632
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "564" "1240"
      4⤵
      PID:2356
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2396" "1240"
      4⤵
      PID:2776
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2784" "1240"
      4⤵
      PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259456591.txt

Filesize
1KB

MD5
5c251842571de261b319045a73d48e38

SHA1
ee16d59279c88770384f6b86a194f278260137f7

SHA256
267b73ba5728af978e64a3e48df41842607d3a1cfdeb91e2dc184251c96cd35e

SHA512
03b2e2485a5c263adb96f342116f6cae8b96afa810449270f71b851bce236f1303e37500c5216b1fbf0f4bcb3e77ffad6bc1f5718c3b954f59f3d7460e450e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259466271.txt

Filesize
1KB

MD5
31be3f71dd7444c1bcb05f3591696f4b

SHA1
f5b276efa4f84d8b98b41f11a194afb3627a7a7d

SHA256
8101e86a40dd4a46f908ac3d3d499a457b589778ddb03d81180e9030326b7c3f

SHA512
df84ca9177e82160c1747a2696bcbaf61d2c6cf19916813b080e054c6e608732e0407448fb4e4be5c79a203a60b2d2974c7bca13174a2956b645a82f784dccbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259485246.txt

Filesize
1KB

MD5
000b9bff07d130174eae621934d89faf

SHA1
993353987575ec50d19802cc452420e6c51d4bf2

SHA256
16d7082d33cd8faa16744d4ea859c46609f4254ac3a46002b46ac79c1ca17231

SHA512
a4d5fbae15267d0c7ad5d7071c8602cce881f80934239677ae69227f73d3d0f119a4a18e48b336f8b5f459c84466a0a8b5924db992e169e3dd175bd5de1e64c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259501002.txt

Filesize
1KB

MD5
8c3591e39621144af200432bcaa7570f

SHA1
b32335dcda6c6f569999063a15127a57d5023366

SHA256
68f4f6c96720de7579a4dc2109c6ce86e06ca134ef42f684a7a3285bdc115bc3

SHA512
ee0ad16cc6a0856e6e35ceb5e8169461e650c375bf26155ac3fc4ef6273cc2d0291af730dd354c4f5ece9a838a3b2b89ffc5f1bd6f0686721a5a999330e57e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259513128.txt

Filesize
1KB

MD5
639c350b95719eea05cc6c6b7b6330fe

SHA1
8f850b3bb0237e28269ea14d12c17a90f21837c8

SHA256
55a029bb9f74231f97fba2dd62f502d5a99d62dc3b2350b77f491833b276a822

SHA512
a5f6e10fc3779026453ec488e221f1c9517296e84ed8c4930b493dd5d0c76107022c6f79b41cbe9382c3c5cb24afd640633bae439b38ad94aba601fdc783e006

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259527123.txt

Filesize
1KB

MD5
c073807c9c33ae6c9fc8fd2415581a40

SHA1
4e28cf4417c832e8ff867dffa58f204726cc676f

SHA256
ce04e344ae9828d6858f0e4db8e6f316e279523b76ffb65322f6ae63cd5c37b8

SHA512
2b14533e3761e4bb6444bf3d963e2ffc5813dfbec69fa7c68f6fb4273e735308af8a4c45f02147c1e4ee53386ab3a86f5b0cb6361443c6689adc1245eb4c64a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259544659.txt

Filesize
1KB

MD5
c29bb56ca68b34573a72a4e52b153e85

SHA1
924f5443dac4596aecf6a10bdd190dda0a718e14

SHA256
6733f300a8d3951d1dcb3b0bebd232743760300da66feab6f4ed65fc557fc2e0

SHA512
89d924bef037f15ad7db08545e1268e560e6eb06b2256d6f4cc802c4764974f8c0cbd9535ef713f05624260b2ce953e0fe1addd7e3714ea726c2624d7e3a4018

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259561811.txt

Filesize
1KB

MD5
77cbf4084bb2513b9a49c3341be0be80

SHA1
73117f316be3fb9fe6d351b0d31f732c9f809a48

SHA256
fa6fc8a4c7461a3eac68162a8e23c203170048be9dfdc3c720f9e1e634255bb1

SHA512
191b6e3b9ae2c381ada04dd889d226a8fc0c7151ce87f2881b7d7b1f3e575312132445aa579b7ca0d36b8072989623707ef375cbdcaf8be22a8f01ce11e28691

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259572220.txt

Filesize
1KB

MD5
81c0faffa7b66ca30a6b30fe7a7ea570

SHA1
b61a653069732695487b586bb38b876552135de6

SHA256
22392d982dc7615a498aada12338a1f27ceb426dc9d0cda0a23246ab603c0a53

SHA512
2d7f3398dcfbdbfed92304abac0c4a504e98ebd05c0f2eca1309d674710b74d1cdf2b3dd22f188a509bc4ec8d8ca484bf622a58ad07defd3d125df50bd2ef26c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f25084e5bbcb4b5856ff3068d5753aa4

SHA1
fd65547e2f40c44e23d796f917a57596aacb26dd

SHA256
792e1340e193492d9447aa0c74bbbd1d7fd9f4cd4b5452397a66636ac007afd9

SHA512
88c4f5a031da5911a21ff5152ee0746aaaf37a750501320048303b7a92e012dae7897529de7812f33c60e9d0f5c7e83b6d51ce9cd934e8dfc4080a22f030cc15

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EL63HE3E173GUJ2AYHUQ.temp

Filesize
7KB

MD5
347520e3b16e2e31c237517f33e4e510

SHA1
cc28079290939baa87eccb7221b95d93a4bf2087

SHA256
c846013381515f0c24667310abc0bcc45963fc3a60b4a626f35da343a402ac2e

SHA512
d8b4ca6a0153b4347fded360b8463f0f5fb15889f5c52f0b07fcfe08fc510b237b20290d6ba9b548e2b43a7d22104159d95b4051b4876d7e2e50168cc5660a57

Download Submit
C:\Users\Admin\AppData\Roaming\QedtvilYWZEimQi.vbs

Filesize
1KB

MD5
a1d4b06df649190f8892c068be6652a3

SHA1
d108497a694413ce06178781126690c55bc094ee

SHA256
e1804e2c3510f2932731a297b50303637156a91e6c33f985786f6be0133073d9

SHA512
af71b1f2ab199170520723f50b8ff46c8a728363b7ee7a746d1f7c0d34c8b18e247769073dbd40c738459d8366940bb98a4cac7e13d50a577f6bd0b3689fa229

Download Submit
memory/2212-16-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2212-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2804-6-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2804-8-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download
memory/2804-7-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download