5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2532	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2872	powershell.exe
2872	powershell.exe
2676	powershell.exe
2676	powershell.exe
1556	powershell.exe
1556	powershell.exe
2816	powershell.exe
2816	powershell.exe
2980	powershell.exe
2980	powershell.exe
1856	powershell.exe
1856	powershell.exe
3040	powershell.exe
3040	powershell.exe
1912	powershell.exe
1912	powershell.exe
2992	powershell.exe
2992	powershell.exe
2476	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2552	1252	taskeng.exe	31
PID 1252 wrote to memory of 2552	1252	taskeng.exe	31
PID 1252 wrote to memory of 2552	1252	taskeng.exe	31
PID 2552 wrote to memory of 2872	2552	WScript.exe	33
PID 2552 wrote to memory of 2872	2552	WScript.exe	33
PID 2552 wrote to memory of 2872	2552	WScript.exe	33
PID 2872 wrote to memory of 2644	2872	powershell.exe	36
PID 2872 wrote to memory of 2644	2872	powershell.exe	36
PID 2872 wrote to memory of 2644	2872	powershell.exe	36
PID 2552 wrote to memory of 2676	2552	WScript.exe	37
PID 2552 wrote to memory of 2676	2552	WScript.exe	37
PID 2552 wrote to memory of 2676	2552	WScript.exe	37
PID 2676 wrote to memory of 2624	2676	powershell.exe	39
PID 2676 wrote to memory of 2624	2676	powershell.exe	39
PID 2676 wrote to memory of 2624	2676	powershell.exe	39
PID 2552 wrote to memory of 1556	2552	WScript.exe	40
PID 2552 wrote to memory of 1556	2552	WScript.exe	40
PID 2552 wrote to memory of 1556	2552	WScript.exe	40
PID 1556 wrote to memory of 1880	1556	powershell.exe	42
PID 1556 wrote to memory of 1880	1556	powershell.exe	42
PID 1556 wrote to memory of 1880	1556	powershell.exe	42
PID 2552 wrote to memory of 2816	2552	WScript.exe	43
PID 2552 wrote to memory of 2816	2552	WScript.exe	43
PID 2552 wrote to memory of 2816	2552	WScript.exe	43
PID 2816 wrote to memory of 1896	2816	powershell.exe	45
PID 2816 wrote to memory of 1896	2816	powershell.exe	45
PID 2816 wrote to memory of 1896	2816	powershell.exe	45
PID 2552 wrote to memory of 2980	2552	WScript.exe	46
PID 2552 wrote to memory of 2980	2552	WScript.exe	46
PID 2552 wrote to memory of 2980	2552	WScript.exe	46
PID 2980 wrote to memory of 2380	2980	powershell.exe	48
PID 2980 wrote to memory of 2380	2980	powershell.exe	48
PID 2980 wrote to memory of 2380	2980	powershell.exe	48
PID 2552 wrote to memory of 1856	2552	WScript.exe	49
PID 2552 wrote to memory of 1856	2552	WScript.exe	49
PID 2552 wrote to memory of 1856	2552	WScript.exe	49
PID 1856 wrote to memory of 408	1856	powershell.exe	51
PID 1856 wrote to memory of 408	1856	powershell.exe	51
PID 1856 wrote to memory of 408	1856	powershell.exe	51
PID 2552 wrote to memory of 3040	2552	WScript.exe	52
PID 2552 wrote to memory of 3040	2552	WScript.exe	52
PID 2552 wrote to memory of 3040	2552	WScript.exe	52
PID 3040 wrote to memory of 1712	3040	powershell.exe	54
PID 3040 wrote to memory of 1712	3040	powershell.exe	54
PID 3040 wrote to memory of 1712	3040	powershell.exe	54
PID 2552 wrote to memory of 1912	2552	WScript.exe	55
PID 2552 wrote to memory of 1912	2552	WScript.exe	55
PID 2552 wrote to memory of 1912	2552	WScript.exe	55
PID 1912 wrote to memory of 2496	1912	powershell.exe	57
PID 1912 wrote to memory of 2496	1912	powershell.exe	57
PID 1912 wrote to memory of 2496	1912	powershell.exe	57
PID 2552 wrote to memory of 2992	2552	WScript.exe	58
PID 2552 wrote to memory of 2992	2552	WScript.exe	58
PID 2552 wrote to memory of 2992	2552	WScript.exe	58
PID 2992 wrote to memory of 1804	2992	powershell.exe	60
PID 2992 wrote to memory of 1804	2992	powershell.exe	60
PID 2992 wrote to memory of 1804	2992	powershell.exe	60
PID 2552 wrote to memory of 2476	2552	WScript.exe	61
PID 2552 wrote to memory of 2476	2552	WScript.exe	61
PID 2552 wrote to memory of 2476	2552	WScript.exe	61
PID 2476 wrote to memory of 2804	2476	powershell.exe	63
PID 2476 wrote to memory of 2804	2476	powershell.exe	63
PID 2476 wrote to memory of 2804	2476	powershell.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:2532

C:\Windows\system32\taskeng.exe
taskeng.exe {87EE128E-9333-4AF1-9A59-FB1354B05725} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2872" "1244"
      4⤵
      PID:2644
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2676" "1248"
      4⤵
      PID:2624
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1556" "1240"
      4⤵
      PID:1880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2816" "1244"
      4⤵
      PID:1896
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2980" "1240"
      4⤵
      PID:2380
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1856" "1240"
      4⤵
      PID:408
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3040" "1236"
      4⤵
      PID:1712
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1912" "1240"
      4⤵
      PID:2496
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2992" "1240"
      4⤵
      PID:1804
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2476" "1248"
      4⤵
      PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259442665.txt

Filesize
1KB

MD5
c2fdaa823d3a9999067d24952f079dd2

SHA1
599b533e15e084f11f2b2c0d660202d363715b1c

SHA256
32c1c80b82232d85ef0d176944d8b51abb3c61dd6b704fb0d1c7ef87e24002ca

SHA512
4cd55c1e8e3a2138ae4ed6b750253a1a694c7642805580391f783c5f1b2735c421b9e1dec7e011015d633990df1cb34b355b97d18b0608c1de96db9721f900ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259460389.txt

Filesize
1KB

MD5
cfc321e9ef67431fee79ce2aa66db7b8

SHA1
ba21d5d40b278d838d110fdf4c532bec3c633f25

SHA256
178c6fb128c5a4430eb892884822af6fbab8f8d2e119632fa5e4d4037e167365

SHA512
08ee8444264c63d66cefd796ebe4373f3398d76e9e035f1e07c24f3ff37371b1be18806a3149b03ea218a29d4be2ae7b987a8e078bf229e3f5f73e1aab0784a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259474654.txt

Filesize
1KB

MD5
6cfb079fb2bbab19f1f7d4236a31c514

SHA1
ffb24a74198db470982867d89ee2bc4728acb043

SHA256
06df594460085235b5a03cfa14f470d6d4b2a5c67970813f13d9db0bc71ff107

SHA512
baab6ee365820a3332105d0998611bae0affb325edad47d620d6e2ee57616b4f322b700b1b6f703d901138f1ab4332081a526f0c826a34ec10b045e7ceed7aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259487478.txt

Filesize
1KB

MD5
a99ae4b3b70912063957876329773db4

SHA1
60fe217be6501d9c87d7fe07373a949742927557

SHA256
4418db35b01b7972f64ae777451dd066a44c38f3f9ce66bfde761892f9bd51b7

SHA512
a430a7af794531e8bd0b2324969beb3c0b028ac5d35e00fb9cc3a930adef9d379774822f726bf9a929f1a9460dd73f6840449caea85d207db75f3172b6cb4f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259502726.txt

Filesize
1KB

MD5
03785ad5fed6d6dffdc046437d009a1e

SHA1
0698fc67730a785d9330e603bdfda998c1936805

SHA256
bcd2392e435f373e6bcc7bcfc5141adf01fbcda16bad15322dcec86702febaf4

SHA512
8e664afbdc96eb095b919a3ee9b513be51812641fb66894794adfae1c1a7d5b3e094170b0ec7e6053b76bd9032722efd006901a8a4524db4f9595592963c5473

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259519246.txt

Filesize
1KB

MD5
17a7e330c1b0e7f7f8e9cbd727377afa

SHA1
f4a972ea44aeeeb09f4a8a83e507832ff1f018d4

SHA256
512e0dcfda876599fd81568f0e4a8901abea41a1a56534fb4a1380b1f75eefbd

SHA512
555c056c400f21e1a795c7161d3af0c0ced8d2801b688edbffbbdfb38204615fbd32f42175dc8d52b83aada1ed906d610d96c7ca3ae6bf3a7448afb8b2f66cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259537730.txt

Filesize
1KB

MD5
842e8fcb4a30428cb95bbb2eabd589d3

SHA1
16cf3aa99d08ad15d2f0f27dea979d0af2deab56

SHA256
166e1f7f977fa5387184381ac91c55daae4ba981655abb19273eb168fed810d4

SHA512
af53ebe58a1000aae1ebe8bf1bf8ec5a259155f814d153fa9f372719859526754a8bd32671504163e46d5567e42c07161f87bca9a5fd80c5ce0956a887341e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259550216.txt

Filesize
1KB

MD5
9134359605d5bcb4e0f818cb619298eb

SHA1
dfd0f7d7ed7d3b7f000c3c61ccb1cc8016f54f5c

SHA256
0dd546b2f03c848c665d4f7a1fdb8d28fc4259a2849d93e39c1423771d8b9203

SHA512
73ce01d1b0a34dfa3b9a7c4f713e7ae270cfd64d40825219d1cf15e7f228f4a90264380cec2676566871cf7026f8632cc92fb88c461ee882847e030d7b77c9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259566970.txt

Filesize
1KB

MD5
ea3b9ff9d6f3b5b20387e0f592d8f0f4

SHA1
54043439ae0b68c1fb9be0c943843bf1544c0baa

SHA256
1c5fc9512b92b4515fc757388ead618c74a816f33de8ae33a1b7f8b3d8458113

SHA512
98a15f0eedbbdc24c3aa8c548b63a5f248305e6d24821319c8b9faa68dcb1203d731a3e7e7001dc25e4770d3ee07c2c081e56c84506a09e79e7e0ff907d60287

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259582075.txt

Filesize
1KB

MD5
6ade1145d1293a184005292e4b222fe0

SHA1
8a9b30f1690b7ca1857cc0f7de7d7bcc67e2b403

SHA256
03c5212fd38fcd42868a39dfba2fee34125aad523747f4d0aee661c4855df530

SHA512
c89265992a6975fbd152da7160df3ecc482538e36beac2938490572c117241f1614923538a35be1a4169aa5585dce259a8d55370cf771d7e4a68cf0e42847d93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
502a385d4525359fded7180c2146e665

SHA1
88d8bb9f5765977612f2f52fa89bf0df12c861b4

SHA256
f021b9b9aa2ca30b6830dc885b00b1e5320c6fe5633ac35768f11673e454c816

SHA512
e34578dba33677130b9c60a0ed9828b353b34d4f9cd4658bc90b0ae45da34f81d17dd7f40dbdbaa23a37b8150a27857943a5ddc6e9c3b16f9c5ab6b831dd7b62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LUPUWGM6967XJUDSAYXV.temp

Filesize
7KB

MD5
e2f5f9df2f91b9724a5ce19f77ed3630

SHA1
533aff2af46068e6cfbad0436c1ffa56061edf50

SHA256
157e705474c712251446ccca68576613a0d7dadb756432091d2e373f904dc9ef

SHA512
b115d965729d080c5728fa13f6b1c31da2eb01a9ee49c94611e6d2111e741e626d4fa2b5ea11bfacd5e136aa35a6572f472dc4ee506fb1b370aaec71bd5553ea

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/2676-17-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2676-16-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2872-6-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2872-7-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2872-8-0x0000000002AF0000-0x0000000002AF8000-memory.dmp

Filesize
32KB

Download