a04dfafd9b29c2bfcea406d0b0cae7500f349b6266a0f6a6cda47616597e7653

Analysis

max time kernel
143s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OfferRef0094.vbe
Size

10KB
MD5

a51ed306c14c21ca72ca83e08a9ef09f
SHA1

773ff6701795750856b76c16ff52d454849d7eba
SHA256

a04dfafd9b29c2bfcea406d0b0cae7500f349b6266a0f6a6cda47616597e7653
SHA512

ac6903f3095a1b5a5c2b389457a5243bded37ea0b051b94321cedac7298fb3cbd78c133823900feec489b51e929977c0889a0258d01292afb2266d89122f8610
SSDEEP

192:aPDnrW7aSxew+zwqBP+ZFm+qq+GhQTHAiKaEVK:AnrW7aSxebwrmjdGmTHAiO8

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

2 2172 WScript.exe

flow	pid	process
2	2172	WScript.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1736 vlc.exe

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1736	vlc.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1576	powershell.exe
1812	powershell.exe
1576	powershell.exe
1548	powershell.exe
1548	powershell.exe
2392	powershell.exe
2392	powershell.exe
2956	powershell.exe
2956	powershell.exe
1920	powershell.exe
1920	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

1736 vlc.exe

pid	process
1736	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

vlc.exe

pid process

1736 vlc.exe
1736 vlc.exe
1736 vlc.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

vlc.exe

pid process

1736 vlc.exe
1736 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1736 vlc.exe

pid	process
1736	vlc.exe
1736	vlc.exe
1736	vlc.exe

pid	process
1736	vlc.exe
1736	vlc.exe

pid	process
1736	vlc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

taskeng.exeWScript.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2716 wrote to memory of 2780	2716	taskeng.exe	WScript.exe
PID 2716 wrote to memory of 2780	2716	taskeng.exe	WScript.exe
PID 2716 wrote to memory of 2780	2716	taskeng.exe	WScript.exe
PID 2780 wrote to memory of 1576	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1576	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1576	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1812	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1812	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1812	2780	WScript.exe	powershell.exe
PID 1812 wrote to memory of 468	1812	powershell.exe	wermgr.exe
PID 1812 wrote to memory of 468	1812	powershell.exe	wermgr.exe
PID 1812 wrote to memory of 468	1812	powershell.exe	wermgr.exe
PID 1576 wrote to memory of 2596	1576	powershell.exe	wermgr.exe
PID 1576 wrote to memory of 2596	1576	powershell.exe	wermgr.exe
PID 1576 wrote to memory of 2596	1576	powershell.exe	wermgr.exe
PID 2780 wrote to memory of 1548	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1548	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1548	2780	WScript.exe	powershell.exe
PID 1548 wrote to memory of 1832	1548	powershell.exe	wermgr.exe
PID 1548 wrote to memory of 1832	1548	powershell.exe	wermgr.exe
PID 1548 wrote to memory of 1832	1548	powershell.exe	wermgr.exe
PID 2780 wrote to memory of 2392	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 2392	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 2392	2780	WScript.exe	powershell.exe
PID 2392 wrote to memory of 1568	2392	powershell.exe	wermgr.exe
PID 2392 wrote to memory of 1568	2392	powershell.exe	wermgr.exe
PID 2392 wrote to memory of 1568	2392	powershell.exe	wermgr.exe
PID 2780 wrote to memory of 2956	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 2956	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 2956	2780	WScript.exe	powershell.exe
PID 2956 wrote to memory of 892	2956	powershell.exe	wermgr.exe
PID 2956 wrote to memory of 892	2956	powershell.exe	wermgr.exe
PID 2956 wrote to memory of 892	2956	powershell.exe	wermgr.exe
PID 2780 wrote to memory of 1920	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1920	2780	WScript.exe	powershell.exe
PID 2780 wrote to memory of 1920	2780	WScript.exe	powershell.exe
PID 1920 wrote to memory of 968	1920	powershell.exe	wermgr.exe
PID 1920 wrote to memory of 968	1920	powershell.exe	wermgr.exe
PID 1920 wrote to memory of 968	1920	powershell.exe	wermgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OfferRef0094.vbe"
1⤵
- Blocklisted process makes network request
PID:2172

C:\Windows\system32\taskeng.exe
taskeng.exe {4688CA25-0FD5-4223-B645-437CC79C8230} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\UkueKOiAEYZeQUG.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1576" "1256"
      4⤵
      PID:2596
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1812" "1144"
      4⤵
      PID:468
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1548" "1252"
      4⤵
      PID:1832
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2392" "1252"
      4⤵
      PID:1568
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2956" "1252"
      4⤵
      PID:892
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1920" "1252"
      4⤵
      PID:968

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchWait.3gp2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259588112.txt

Filesize
1KB

MD5
dff12f5780d37fff9ac8e69d1040a5aa

SHA1
950ad760e4382d376b69b1454b87209f97d54977

SHA256
bd4d89008d8cb992eaaf2e04f16e500b84a9e1dc7413858249805677e1b275d4

SHA512
4e43bbf94301db240a225114c7643ca35809a2e0d902181e1c95b277fb4d1dd0fdb70a19b7168e80ff2e29b799a7761549415b54753126021a4e9131fcdeb052

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259588365.txt

Filesize
1KB

MD5
4f122d12bc37f07819c75867887cabdb

SHA1
c830f486e5760b9dc3853a6abf6022c6b283a405

SHA256
eab316014b49dac522964b2029ec6de28d4b43ba55d065a96b2d871b5e4a0f78

SHA512
2449f7f41cb6716a62596abf8ebf4f307cb32300474870dd097b1e80e30a9879e379d69e3aa35345883342efcfc114a0c3bd47a19f37af6a186c3eb74c2c7fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259605960.txt

Filesize
1KB

MD5
db09979e6127a559d2d64469a41bd949

SHA1
4cdb553815a40e4546ea69cfb9f4416023628eb4

SHA256
90cf73a58aad22ffabe6ef76f8401e51ece5895c8d71c40ca4d1332213384558

SHA512
4f3f15a8d6bf695156b67f055b727e15f45091bb03c4f291990935a24c21dbcf9019c1b87a95978d00c7774fb1552541c2ee1b5fef82418707448ba8373c5a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259618325.txt

Filesize
1KB

MD5
8fd615ffc6b3926c9aef54be6f31b5ca

SHA1
92dae7754a9e48d80f6a8382426ec977acfb9fed

SHA256
252b2a504f51cfab5bab2c3778f528d73a76a4b9ddaaa9f090584662679bdee8

SHA512
500c38abdc5e5f6fe5a3c0e87c76431f26804557a8774d2e935f05f1c6803aaa510f7367250361d7907340fe481a66097f683a2a90583995f9b777bc98e6e42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259634659.txt

Filesize
1KB

MD5
d2357618836a3e00b1d121c59f4e0579

SHA1
1400a92dc89e62b1053910d0b5275e6b8d140780

SHA256
1863cea1ae770941b427e08d41200cccaac75444ba30ee07175b907d94b8fff9

SHA512
b78dd26de237d44d074f40b57de7db472d895c7ac1e82574f775ac3f37881037a07099fd0abb04725ebfd06b265864ea3af14a2441d17d696b208a30ac205c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259652831.txt

Filesize
1KB

MD5
e8f3fc2795e4f12653b976cccf60eb04

SHA1
4b150663ad2cb0687d6f35a1e3ee5153a058df07

SHA256
aa7bcf63e22e909acd9005dd51f07d9f08d8b347202078be169905c84706c93c

SHA512
bb55069a038c8d1b7d035a165f014106d3a5f256f862611acce625d061ac50c7eb236a3b2938b02b236769e31bc2bd9f9590450215e48c859784e39b4e407d59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab3c7f34971c1295661eb7a12b3abffa

SHA1
ae339f914ad0d03259572ce2ed570cc4149f4eec

SHA256
98d41cc498c38dc61ddc405cd88e7cfadcdafb25f5bc0c8b83822d0335090f26

SHA512
d63fa42b3007a51f6953033c0752d7bb4bb703a5707b6a0d89200d48623db61c2ccd6436ff5bdbf3c8a15b57015163d4f277d9b56496ebeea96d7ea4d0ce9b02

Download Submit
C:\Users\Admin\AppData\Roaming\UkueKOiAEYZeQUG.vbs

Filesize
1KB

MD5
8d2ef661762408d476781fc9b8a9fa65

SHA1
72ec46ea5a6e24510a7fa9d8b2b3a0bbd1a8addc

SHA256
1d69d8ce4bff41a38e9ab2c7f238abbbf90cdc7d3e698142253c1379f9cc5cfa

SHA512
ec10960169ab3a24f7e0c8d2848445759fbfc9cdb2bd9f86ec2f663d7d4a30bc5ec31276a21697c8003d99740bb4cf2084043f625b9de0f39682dd05d0bb5a46

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1548-126-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1548-125-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/1576-7-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1576-47-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/1576-6-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1736-30-0x000007FEF1E80000-0x000007FEF1EE7000-memory.dmp

Filesize
412KB

Download
memory/1736-35-0x000007FEF1D20000-0x000007FEF1D44000-memory.dmp

Filesize
144KB

Download
memory/1736-21-0x000007FEF2000000-0x000007FEF2021000-memory.dmp

Filesize
132KB

Download
memory/1736-23-0x000007FEF1FC0000-0x000007FEF1FD1000-memory.dmp

Filesize
68KB

Download
memory/1736-26-0x000007FEF1F60000-0x000007FEF1F7B000-memory.dmp

Filesize
108KB

Download
memory/1736-27-0x000007FEF1F40000-0x000007FEF1F51000-memory.dmp

Filesize
68KB

Download
memory/1736-25-0x000007FEF1F80000-0x000007FEF1F91000-memory.dmp

Filesize
68KB

Download
memory/1736-24-0x000007FEF1FA0000-0x000007FEF1FB1000-memory.dmp

Filesize
68KB

Download
memory/1736-28-0x000007FEF1F20000-0x000007FEF1F38000-memory.dmp

Filesize
96KB

Download
memory/1736-29-0x000007FEF1EF0000-0x000007FEF1F20000-memory.dmp

Filesize
192KB

Download
memory/1736-18-0x000007FEF2080000-0x000007FEF228B000-memory.dmp

Filesize
2.0MB

Download
memory/1736-33-0x000007FEF1D80000-0x000007FEF1DD7000-memory.dmp

Filesize
348KB

Download
memory/1736-32-0x000007FEF1DE0000-0x000007FEF1DF1000-memory.dmp

Filesize
68KB

Download
memory/1736-34-0x000007FEF1D50000-0x000007FEF1D78000-memory.dmp

Filesize
160KB

Download
memory/1736-37-0x000007FEF1CD0000-0x000007FEF1CF3000-memory.dmp

Filesize
140KB

Download
memory/1736-38-0x000007FEF1CB0000-0x000007FEF1CC1000-memory.dmp

Filesize
68KB

Download
memory/1736-36-0x000007FEF1D00000-0x000007FEF1D18000-memory.dmp

Filesize
96KB

Download
memory/1736-22-0x000007FEF1FE0000-0x000007FEF1FF8000-memory.dmp

Filesize
96KB

Download
memory/1736-39-0x000007FEF1C90000-0x000007FEF1CA2000-memory.dmp

Filesize
72KB

Download
memory/1736-31-0x000007FEF1E00000-0x000007FEF1E7C000-memory.dmp

Filesize
496KB

Download
memory/1736-40-0x000007FEF1C60000-0x000007FEF1C81000-memory.dmp

Filesize
132KB

Download
memory/1736-41-0x000007FEF1C40000-0x000007FEF1C53000-memory.dmp

Filesize
76KB

Download
memory/1736-20-0x000007FEED2C0000-0x000007FEEE370000-memory.dmp

Filesize
16.7MB

Download
memory/1736-19-0x000007FEF2030000-0x000007FEF2071000-memory.dmp

Filesize
260KB

Download
memory/1736-10-0x000007FEF4DB0000-0x000007FEF5066000-memory.dmp

Filesize
2.7MB

Download
memory/1736-13-0x000007FEF2310000-0x000007FEF2321000-memory.dmp

Filesize
68KB

Download
memory/1736-15-0x000007FEF22D0000-0x000007FEF22E1000-memory.dmp

Filesize
68KB

Download
memory/1736-16-0x000007FEF22B0000-0x000007FEF22CD000-memory.dmp

Filesize
116KB

Download
memory/1736-17-0x000007FEF2290000-0x000007FEF22A1000-memory.dmp

Filesize
68KB

Download
memory/1736-14-0x000007FEF22F0000-0x000007FEF2307000-memory.dmp

Filesize
92KB

Download
memory/1736-11-0x000007FEF6A10000-0x000007FEF6A28000-memory.dmp

Filesize
96KB

Download
memory/1736-12-0x000007FEF2CF0000-0x000007FEF2D07000-memory.dmp

Filesize
92KB

Download
memory/1736-8-0x000000013F750000-0x000000013F848000-memory.dmp

Filesize
992KB

Download
memory/1736-9-0x000007FEFAEE0000-0x000007FEFAF14000-memory.dmp

Filesize
208KB

Download