e82da29ba80ba9f702db759c4ffb8e755db261421f74a222f9bdb7822999c24c

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2428	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2924	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
756	powershell.exe
756	powershell.exe
2704	powershell.exe
2704	powershell.exe
1956	powershell.exe
1956	powershell.exe
2092	powershell.exe
2092	powershell.exe
1332	powershell.exe
1332	powershell.exe
2988	powershell.exe
2988	powershell.exe
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE
2924	EXCEL.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2548	2568	taskeng.exe	32
PID 2568 wrote to memory of 2548	2568	taskeng.exe	32
PID 2568 wrote to memory of 2548	2568	taskeng.exe	32
PID 2548 wrote to memory of 756	2548	WScript.exe	34
PID 2548 wrote to memory of 756	2548	WScript.exe	34
PID 2548 wrote to memory of 756	2548	WScript.exe	34
PID 756 wrote to memory of 2724	756	powershell.exe	36
PID 756 wrote to memory of 2724	756	powershell.exe	36
PID 756 wrote to memory of 2724	756	powershell.exe	36
PID 2548 wrote to memory of 2704	2548	WScript.exe	37
PID 2548 wrote to memory of 2704	2548	WScript.exe	37
PID 2548 wrote to memory of 2704	2548	WScript.exe	37
PID 2704 wrote to memory of 1944	2704	powershell.exe	39
PID 2704 wrote to memory of 1944	2704	powershell.exe	39
PID 2704 wrote to memory of 1944	2704	powershell.exe	39
PID 2548 wrote to memory of 1956	2548	WScript.exe	40
PID 2548 wrote to memory of 1956	2548	WScript.exe	40
PID 2548 wrote to memory of 1956	2548	WScript.exe	40
PID 1956 wrote to memory of 2120	1956	powershell.exe	42
PID 1956 wrote to memory of 2120	1956	powershell.exe	42
PID 1956 wrote to memory of 2120	1956	powershell.exe	42
PID 2548 wrote to memory of 2092	2548	WScript.exe	43
PID 2548 wrote to memory of 2092	2548	WScript.exe	43
PID 2548 wrote to memory of 2092	2548	WScript.exe	43
PID 2092 wrote to memory of 444	2092	powershell.exe	45
PID 2092 wrote to memory of 444	2092	powershell.exe	45
PID 2092 wrote to memory of 444	2092	powershell.exe	45
PID 2548 wrote to memory of 1332	2548	WScript.exe	46
PID 2548 wrote to memory of 1332	2548	WScript.exe	46
PID 2548 wrote to memory of 1332	2548	WScript.exe	46
PID 1332 wrote to memory of 2384	1332	powershell.exe	48
PID 1332 wrote to memory of 2384	1332	powershell.exe	48
PID 1332 wrote to memory of 2384	1332	powershell.exe	48
PID 2548 wrote to memory of 2988	2548	WScript.exe	49
PID 2548 wrote to memory of 2988	2548	WScript.exe	49
PID 2548 wrote to memory of 2988	2548	WScript.exe	49
PID 2988 wrote to memory of 1752	2988	powershell.exe	51
PID 2988 wrote to memory of 1752	2988	powershell.exe	51
PID 2988 wrote to memory of 1752	2988	powershell.exe	51
PID 2548 wrote to memory of 1676	2548	WScript.exe	52
PID 2548 wrote to memory of 1676	2548	WScript.exe	52
PID 2548 wrote to memory of 1676	2548	WScript.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:2428

C:\Windows\system32\taskeng.exe
taskeng.exe {F7F7D4ED-23CD-48B6-A989-E73F09B7A812} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "756" "1240"
      4⤵
      PID:2724
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2704" "1240"
      4⤵
      PID:1944
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1956" "1236"
      4⤵
      PID:2120
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2092" "1228"
      4⤵
      PID:444
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1332" "1236"
      4⤵
      PID:2384
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2988" "1240"
      4⤵
      PID:1752
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259478760.txt

Filesize
1KB

MD5
f48ccdd6059eea1ca831a65e1a068d4c

SHA1
36d6387ad0d2b8850f9d89fa40c7a6e884d894bc

SHA256
193116086f2a93de672c43db8275de3c1da1ca5386507071321d0c515a89de54

SHA512
f712d3741eabb134c4d8dc4fdb6eaa698eb2717d94ec2a70bb11c1881fd9ec93b47fc78ac54c099b1a04b20913c7dbe823525a8ad377129c6e64e7962c454647

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496841.txt

Filesize
1KB

MD5
6a4d6c151d9ae8559a4293ef928dc6f1

SHA1
57dfa4b6077d0db42458928a09203f5f8f34992f

SHA256
a1ff39ca16a802dc8eb95dc3627c9b716200c105ba29b9736af59bd82983cf7d

SHA512
f28ee4c59725ef3878e26d2b5b99696956f15a05bba84ac700457e26d8473b0be9536d32a398ad2003f2bdd4de9f367946665249b0ff9fe898d855d41dc5b174

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509363.txt

Filesize
1KB

MD5
64b9db91469ad7c54e530ccfd738fef7

SHA1
679d5babf11285653854280878ad96979ba06d48

SHA256
6a0af4ec2198e4a5cc43199b73b9f78791ce5814eb0ebf52e7a82a63b20a7647

SHA512
19ffb4cf7bf5b63fbde42e4ef48ebe270ec1770797ac54156fc75cec574041b2fd28f929a89c2efc4f0929c5d434296e31031fd8dd0a052c45ce7c13f8c74c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259526462.txt

Filesize
1KB

MD5
57d0f30cfd3f3bff94450f5342f4e3d2

SHA1
27418a25a37483fe877464f8291e33a448a9c215

SHA256
fab1495ca67396050c4563629b101faed5549f3d5d2e40e972c49d08b40f8c14

SHA512
b93ef8349a3d7dee90db2bd2e36d5cfafd56777f39a3af80142aa7e0e169db8e927294e4c16c81a5f6ff961d1870caa6559d658f8c507dbb1a416fc6694ab926

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540825.txt

Filesize
1KB

MD5
146e66415afc44226fb8d40a20e73b5d

SHA1
2972622ee7f0a1d137970abed07f6ffca5adafdd

SHA256
0476fb3ed0998bff1d652f36d364a0f1cc6a5004a47e232c4d28cd2c856d9a6d

SHA512
106b904ce3d114a5be75a5ba4450473b2449ef42174503578cfc28ea6e3a5631302bb35ce5ac0688138d33ed5b7d67a016d6d9697d784ca17eb30fa078cfc428

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259553014.txt

Filesize
1KB

MD5
3db4d1c6833e16b031e5613085d0bc0e

SHA1
ea2419688a23e850b694bfd8c76c617b02d1bf17

SHA256
b34b903dba03742402aa095e7aa42693c62713ecae04313ad7912e55847f43da

SHA512
01bc6fe50c0e3519347f93e6c07686a1dd18aaa5986676326a9063b7c99d7115ca0152f6ce366feef21b2f9db942a6cc8df179da9afc27aaf8f7ab1d086ac49c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b5e33226a7d41400ea20c3e526c7d2da

SHA1
4946a80aacbbb6a53205bc50d4e601a25b327ba6

SHA256
d944be663c2b48909c53db7ea6fb4abd61e3990c489884d855d80aeb44950506

SHA512
0878314215bbc88ca783b8bde8cb71cce4067e336f56854c7f9693260b6c615e3f0cb1495373971856211b9e212c29a449921a5f0f7cd01a9a6dbcec316f7190

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/756-8-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/756-7-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/756-6-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2704-17-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2704-16-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2924-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download