5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9

Analysis

max time kernel
137s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3028	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2896	powershell.exe
2896	powershell.exe
3004	powershell.exe
3004	powershell.exe
2392	powershell.exe
2392	powershell.exe
1440	powershell.exe
1440	powershell.exe
2140	powershell.exe
2140	powershell.exe
1352	powershell.exe
1352	powershell.exe
2404	powershell.exe
2404	powershell.exe
1608	powershell.exe
1608	powershell.exe
2600	powershell.exe
2600	powershell.exe
3012	powershell.exe
3012	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2688	2240	taskeng.exe	31
PID 2240 wrote to memory of 2688	2240	taskeng.exe	31
PID 2240 wrote to memory of 2688	2240	taskeng.exe	31
PID 2688 wrote to memory of 2896	2688	WScript.exe	33
PID 2688 wrote to memory of 2896	2688	WScript.exe	33
PID 2688 wrote to memory of 2896	2688	WScript.exe	33
PID 2896 wrote to memory of 2536	2896	powershell.exe	35
PID 2896 wrote to memory of 2536	2896	powershell.exe	35
PID 2896 wrote to memory of 2536	2896	powershell.exe	35
PID 2688 wrote to memory of 3004	2688	WScript.exe	36
PID 2688 wrote to memory of 3004	2688	WScript.exe	36
PID 2688 wrote to memory of 3004	2688	WScript.exe	36
PID 3004 wrote to memory of 2416	3004	powershell.exe	38
PID 3004 wrote to memory of 2416	3004	powershell.exe	38
PID 3004 wrote to memory of 2416	3004	powershell.exe	38
PID 2688 wrote to memory of 2392	2688	WScript.exe	40
PID 2688 wrote to memory of 2392	2688	WScript.exe	40
PID 2688 wrote to memory of 2392	2688	WScript.exe	40
PID 2392 wrote to memory of 2320	2392	powershell.exe	42
PID 2392 wrote to memory of 2320	2392	powershell.exe	42
PID 2392 wrote to memory of 2320	2392	powershell.exe	42
PID 2688 wrote to memory of 1440	2688	WScript.exe	43
PID 2688 wrote to memory of 1440	2688	WScript.exe	43
PID 2688 wrote to memory of 1440	2688	WScript.exe	43
PID 1440 wrote to memory of 572	1440	powershell.exe	45
PID 1440 wrote to memory of 572	1440	powershell.exe	45
PID 1440 wrote to memory of 572	1440	powershell.exe	45
PID 2688 wrote to memory of 2140	2688	WScript.exe	46
PID 2688 wrote to memory of 2140	2688	WScript.exe	46
PID 2688 wrote to memory of 2140	2688	WScript.exe	46
PID 2140 wrote to memory of 404	2140	powershell.exe	48
PID 2140 wrote to memory of 404	2140	powershell.exe	48
PID 2140 wrote to memory of 404	2140	powershell.exe	48
PID 2688 wrote to memory of 1352	2688	WScript.exe	49
PID 2688 wrote to memory of 1352	2688	WScript.exe	49
PID 2688 wrote to memory of 1352	2688	WScript.exe	49
PID 1352 wrote to memory of 2296	1352	powershell.exe	51
PID 1352 wrote to memory of 2296	1352	powershell.exe	51
PID 1352 wrote to memory of 2296	1352	powershell.exe	51
PID 2688 wrote to memory of 2404	2688	WScript.exe	52
PID 2688 wrote to memory of 2404	2688	WScript.exe	52
PID 2688 wrote to memory of 2404	2688	WScript.exe	52
PID 2404 wrote to memory of 880	2404	powershell.exe	54
PID 2404 wrote to memory of 880	2404	powershell.exe	54
PID 2404 wrote to memory of 880	2404	powershell.exe	54
PID 2688 wrote to memory of 1608	2688	WScript.exe	55
PID 2688 wrote to memory of 1608	2688	WScript.exe	55
PID 2688 wrote to memory of 1608	2688	WScript.exe	55
PID 1608 wrote to memory of 2872	1608	powershell.exe	57
PID 1608 wrote to memory of 2872	1608	powershell.exe	57
PID 1608 wrote to memory of 2872	1608	powershell.exe	57
PID 2688 wrote to memory of 2600	2688	WScript.exe	58
PID 2688 wrote to memory of 2600	2688	WScript.exe	58
PID 2688 wrote to memory of 2600	2688	WScript.exe	58
PID 2600 wrote to memory of 2956	2600	powershell.exe	60
PID 2600 wrote to memory of 2956	2600	powershell.exe	60
PID 2600 wrote to memory of 2956	2600	powershell.exe	60
PID 2688 wrote to memory of 3012	2688	WScript.exe	61
PID 2688 wrote to memory of 3012	2688	WScript.exe	61
PID 2688 wrote to memory of 3012	2688	WScript.exe	61
PID 3012 wrote to memory of 1052	3012	powershell.exe	63
PID 3012 wrote to memory of 1052	3012	powershell.exe	63
PID 3012 wrote to memory of 1052	3012	powershell.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:3028

C:\Windows\system32\taskeng.exe
taskeng.exe {D2BF6377-4AFC-4765-9AA7-40D85C33181E} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2896" "1244"
      4⤵
      PID:2536
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3004" "1240"
      4⤵
      PID:2416
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2392" "1244"
      4⤵
      PID:2320
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1440" "1248"
      4⤵
      PID:572
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2140" "1240"
      4⤵
      PID:404
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1352" "1248"
      4⤵
      PID:2296
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2404" "1244"
      4⤵
      PID:880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1608" "1248"
      4⤵
      PID:2872
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2600" "1236"
      4⤵
      PID:2956
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3012" "1252"
      4⤵
      PID:1052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259425139.txt

Filesize
1KB

MD5
0e8538409cd288c991fee4310f89cd33

SHA1
3a66efb3219019d0810666580d697aaa8b714ac2

SHA256
35e7c4c8246646b0cb8c0517c33bd870be1fa43e73e321ed44cfd01fc89d4e70

SHA512
45da61b5598cf744a37ffb70f03ff33ab36f02c6ad408fb14c5aed6ec1de16cecda59f6efeef7cbb4810013d834e85c704e17f582cd4f9bf4b108391526002a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259443082.txt

Filesize
1KB

MD5
0389392124f6dd778681975fead7d57c

SHA1
a09c574f43c1279504e5d733875c6fc5fdcfe7f0

SHA256
c1cba144af7d7f45613b7b7fc2c5448eef642059c6938f73886cdb759efc8e7e

SHA512
ff9d6e8277463a7905f98c6fbdbfac6e3b09eb231205649aebd1a9ab5da3ef8f994962bd040e56325409dd217a31e4921665d895881b58175db2bd25e7ea51e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259454225.txt

Filesize
1KB

MD5
28ef864af37437bbdffe61c64ba63798

SHA1
4e7edc71b12eb1b5e98bfc6ddeef264dfda98a35

SHA256
327f4ee18fea53f35197e89ed83c0d656f0ef3c3a1762af16dc0b740f394fec9

SHA512
806b9639767b78d162f2d688aeb785b90182cb8ff9119bc870b1f333e84ea6ea9980dfff110bbe60d46c3379082d90dac957f8d8bb02cfc614b790c66e63e25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259469843.txt

Filesize
1KB

MD5
61db2d117e792b00f8af981f748f7a67

SHA1
969f8214f529e3114fe98ad39cac97bfdd739e1a

SHA256
08201b464721eb784948fb51ff01f6367588c9c859b9a6efaefea0e4e7599305

SHA512
1c6cac0ab071c9abf1dab2dc445a158fa2ad1380f222079e52c651bd65ef5a62b2b8619072ad4d09b5aafd34cc60df09771b656f9cca2dbcc6b69db4d59aa86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259488418.txt

Filesize
1KB

MD5
f80800fa4df147295cc038471667cdb2

SHA1
1f1d834bddb170c980400ddad38b44713d62656a

SHA256
52b0a720020183ddace3f2b3445a168298689cdcc5a1034605d100e9a0ad6e34

SHA512
953eb4055931028fc55e73a2c4395d2405971bced9323652884614844207c12a636a211be0be72febc77f6a750940f8b5eb05d70177c5c86fc857e6aed44820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259501007.txt

Filesize
1KB

MD5
42be6b3b7d6b8e47cda265f9e6520194

SHA1
b048cb93b6636159da7e5362fa27e5e74e434a0f

SHA256
ab37c898eb09d2ff4987cb284d6c2b9d1a0636660bc67ecfd0a2b214877402ac

SHA512
e14a58ef0f0abd8524799456c78c32b15b4c3fcf578779e414b8ce7ebb1ed2ef7906f5e0d423335c9e340ba8343a4bf7a23a6f4d0890d2821cc8cc28c3f9e980

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514535.txt

Filesize
1KB

MD5
128b2f121df31b9c56b8dc7bcf043e7b

SHA1
ac1234f2e9c8caa898991bfe24c2fc63fa96a43b

SHA256
022445659e1bc453221dfad093c5d7e67fb8c076af4b4a291d7ee4b59478515c

SHA512
2ec9e8c1e0901f5a1661b937a2d308af6c6e92d26d49c6789b56226d5afa8376fc260e95335769d001b8a9716279f598bd8859d762c6d3324a7cec6ac6dbd312

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259532221.txt

Filesize
1KB

MD5
54629490f33aef505b8b1a4b1eaaf8d4

SHA1
c6540a8216ad5973ed2ff0fe1f6c6ce96670d209

SHA256
1afb33528f80be29ff44b3ec97f39ab766788b5923bd33412ff4550a57335356

SHA512
b98352b5f5034fa13c0cd2f19850788641c5816cc66640c7622b080be232eb05ffb99f17121b80b83bf25d8cbbde95a00b4e93bf6b4e304e5b97bb137a786ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259544548.txt

Filesize
1KB

MD5
d8c0cd4be08a1ee29c8a4ced5677bb24

SHA1
cd3df9067f5ce808fe63f5b32b5edc82ac9d58d4

SHA256
a4cfeaa797e6db6147ec4a2cdc57d250e87e6f39e093350cb3b94dfd8b2cff0d

SHA512
891a1ae4346ce0b1d0eee64db0b78b0a7447cfb1c8c5da305796d52984092a63bb14651ea5707fe4d529ba24b0333629faf259ec7ea855ba5ee5882e256bbe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559913.txt

Filesize
1KB

MD5
676a9f876124442cfe5424aa4e66b915

SHA1
34c444476ab058a987f67547c87c0304fd57f171

SHA256
85b4297031f10d5755e1704708bbe9e75d3569a2b5d2faa5321341dc2d3ced38

SHA512
237e04471cc2be9c1b562d1f0f04aa83e3b853f5ae1ae088a5d55560a1d69cbe0f5e7b2557dcfd95bb961ccfe94407e6287cd057d8a78e50d1df9cd3a160c769

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ad6aea1aca8bfd40f810b878375759aa

SHA1
9155eb8e7a7e96dda9c06ec916f7a61aa4c4a73e

SHA256
355144a164895b392e31db3bd51e775d45585f766eb61199672dee5b0156823a

SHA512
effa7a00c8d488f59ea61112804f3f88fa49fda606c0c8b7d9d5f5dd6884232033510b49f2c7a81d92c6ea5ba7e5766ab52beafcf0b441de5dfa95f6f26154bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e287e4d1065ee64671b662a1198e2fd

SHA1
5834ff05ab5f7cc05257f1c4c4009a82f742489f

SHA256
42a70e73e66a4ef87db6316b097b4285ad3cc126245aeba0b89cae651e2bbd88

SHA512
8661c51865152336e39a9a2ca6de1ad84a690da89bdcd131f484b5c61bf6c1fe8f43c1d805f5369ac3440a358c1d53f37fa95f3490a4e3f0f133bb909cff6b7d

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/2896-8-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2896-6-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download
memory/2896-7-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/3004-17-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/3004-16-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download