5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2736	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2528	powershell.exe
2528	powershell.exe
2012	powershell.exe
2012	powershell.exe
2656	powershell.exe
2656	powershell.exe
636	powershell.exe
636	powershell.exe
2976	powershell.exe
2976	powershell.exe
2304	powershell.exe
2304	powershell.exe
2744	powershell.exe
2744	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 588	3016	taskeng.exe	32
PID 3016 wrote to memory of 588	3016	taskeng.exe	32
PID 3016 wrote to memory of 588	3016	taskeng.exe	32
PID 588 wrote to memory of 2528	588	WScript.exe	34
PID 588 wrote to memory of 2528	588	WScript.exe	34
PID 588 wrote to memory of 2528	588	WScript.exe	34
PID 2528 wrote to memory of 1904	2528	powershell.exe	36
PID 2528 wrote to memory of 1904	2528	powershell.exe	36
PID 2528 wrote to memory of 1904	2528	powershell.exe	36
PID 588 wrote to memory of 2012	588	WScript.exe	37
PID 588 wrote to memory of 2012	588	WScript.exe	37
PID 588 wrote to memory of 2012	588	WScript.exe	37
PID 2012 wrote to memory of 868	2012	powershell.exe	39
PID 2012 wrote to memory of 868	2012	powershell.exe	39
PID 2012 wrote to memory of 868	2012	powershell.exe	39
PID 588 wrote to memory of 2656	588	WScript.exe	40
PID 588 wrote to memory of 2656	588	WScript.exe	40
PID 588 wrote to memory of 2656	588	WScript.exe	40
PID 2656 wrote to memory of 2108	2656	powershell.exe	42
PID 2656 wrote to memory of 2108	2656	powershell.exe	42
PID 2656 wrote to memory of 2108	2656	powershell.exe	42
PID 588 wrote to memory of 636	588	WScript.exe	43
PID 588 wrote to memory of 636	588	WScript.exe	43
PID 588 wrote to memory of 636	588	WScript.exe	43
PID 636 wrote to memory of 1744	636	powershell.exe	45
PID 636 wrote to memory of 1744	636	powershell.exe	45
PID 636 wrote to memory of 1744	636	powershell.exe	45
PID 588 wrote to memory of 2976	588	WScript.exe	46
PID 588 wrote to memory of 2976	588	WScript.exe	46
PID 588 wrote to memory of 2976	588	WScript.exe	46
PID 2976 wrote to memory of 1276	2976	powershell.exe	48
PID 2976 wrote to memory of 1276	2976	powershell.exe	48
PID 2976 wrote to memory of 1276	2976	powershell.exe	48
PID 588 wrote to memory of 2304	588	WScript.exe	49
PID 588 wrote to memory of 2304	588	WScript.exe	49
PID 588 wrote to memory of 2304	588	WScript.exe	49
PID 2304 wrote to memory of 2064	2304	powershell.exe	51
PID 2304 wrote to memory of 2064	2304	powershell.exe	51
PID 2304 wrote to memory of 2064	2304	powershell.exe	51
PID 588 wrote to memory of 2744	588	WScript.exe	52
PID 588 wrote to memory of 2744	588	WScript.exe	52
PID 588 wrote to memory of 2744	588	WScript.exe	52
PID 2744 wrote to memory of 1232	2744	powershell.exe	54
PID 2744 wrote to memory of 1232	2744	powershell.exe	54
PID 2744 wrote to memory of 1232	2744	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:2736

C:\Windows\system32\taskeng.exe
taskeng.exe {9596092C-DC7D-4AD8-ADC8-6B30D9CC92CE} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2528" "1240"
      4⤵
      PID:1904
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2012" "1252"
      4⤵
      PID:868
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2656" "1244"
      4⤵
      PID:2108
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "636" "1244"
      4⤵
      PID:1744
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2976" "1240"
      4⤵
      PID:1276
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2304" "1252"
      4⤵
      PID:2064
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2744" "1240"
      4⤵
      PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259471998.txt

Filesize
1KB

MD5
f2daf7e870e004d1903fda7d14a9500b

SHA1
1a85a4832099aade56f633d19976321b4ad12c9d

SHA256
69dd8bebd72462f582fe0f1f720d4dd6da3a8646b292cba9d8c8720af0bda91b

SHA512
f72d72585345e3820ae00810b0d0ba352e8bf56fb066a854ef8da36a8d30b63ec874edd02e4a389ff7fb6c67da3379044999d3dbd810df58e0c5a8050f47fb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259484409.txt

Filesize
1KB

MD5
e0bcef5465433f79a75eb90767bd819f

SHA1
32bc95aa7262cada00a9e71992010e26c106a97b

SHA256
2b7552e61429837bca9de97b3698ae05e515ffdea4211341da7c0bdda8a1eeda

SHA512
b445c683e9faa34f83b0cccb015159170c22400638f1ec81fa7c94dd8bd0fadb66f26affaa57d323d3f6df1ee1419e5419ce3fd0ca826cf7c01d64caaf0fba73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259501476.txt

Filesize
1KB

MD5
fa8cf09c7e13af43bf2c4f1910543c3c

SHA1
bb71bba72b6ce9cbc79ebe04b430ca95a19d1d61

SHA256
bacc8efd3322b465767867939f13f7814db74af6a90b18723c01e87d43fd7fb8

SHA512
c422ef56968e0867611fd498bd97735420243fe1bb63fb4cfad9b37c1324903494dcccf5331b1d1cd0c344935f3b69482f5af0d1499f08d3e6f632b51ffd0a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514673.txt

Filesize
1KB

MD5
e2dac64e4dedc5dcf7ec6cd977d18eaa

SHA1
58ffe7a0de84a8b56920fc15834ee525388d9b53

SHA256
fb0937a5c422ffcf43bac7aea2f701d9a35baa6997ea0a2a85dcc68101ef6872

SHA512
27fde29ab92747a8858d74640aa81f47ef88c70aa41ccfec3976d55fe1a41955c7197ff04c247a170aa62de215be30c018bfbd277be98ec1a4dfc6bf01f88f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259528170.txt

Filesize
1KB

MD5
a4f8326332dbddf0e9e84cd19955803e

SHA1
30b86e5be146fa97af4754acad5e4cb63f0c9f09

SHA256
acedbb6febcdd92925250bfbda03c85edf5ba380496be1f068026c213541bd53

SHA512
5a0db92d5a0f11fa791820cddee622ed338b2f81abe2700a07347f39d49c0c8114ed4c3aeeaf4671df910937a2a8470913ef9d7d67e8efe750a8ee034295cb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259543220.txt

Filesize
1KB

MD5
860ef6a9c35609c9fcfbb7c59dca453d

SHA1
efb99c5228ef8f7f05fb6617e2ac10becb0e0996

SHA256
6e632f300930688c26a47bdc12afc8e5c669d493f1044fc9f71a889a72d2a53c

SHA512
da8aca37cef601d4bb454be80c5d99913904b237baf8993ec31b5f95b82e90fce32166c75afbe2391f1ef53b12e4c48554997c68dc4cfc0e40943b5e14a09c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259563017.txt

Filesize
1KB

MD5
87d158083982966b1c0329b707b910aa

SHA1
6710a4f4bcdb687f7f628f590ab4dd47a0e010aa

SHA256
030b2c64254a605c926d271de763d347a741ac06bc868619f137fcd68a4ad19b

SHA512
51f9a68a712af76bd993bd2790fd447dccad314b28e3cc0d9cae431c9f433284f3edeb8a67ed87e7fd1f3f329dbd97379fa5b6ec03ee5b1512c5da862af1dce0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aba6c316cb15dcfbaa2ba42cba0811a3

SHA1
1c340db04557b9185beec0525c6a96b554be1882

SHA256
daf97994d0a8fc1e2f3c0b3a926c579e4e4e7964c02ece724fa86653c6c77763

SHA512
628918495d7b1daa0386708ba19aa17b316074f8458c413b5f214b56b1dbd81af48cb0df94f7b52599d36816fb0d3aa285ba0d24d86d4b824802cb578b73bc81

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/2012-16-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2012-17-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/2528-8-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2528-7-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2528-6-0x000000001B880000-0x000000001BB62000-memory.dmp

Filesize
2.9MB

Download