e82da29ba80ba9f702db759c4ffb8e755db261421f74a222f9bdb7822999c24c

Analysis

max time kernel
146s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2396	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2672	powershell.exe
2672	powershell.exe
2040	powershell.exe
2040	powershell.exe
2916	powershell.exe
2916	powershell.exe
448	powershell.exe
448	powershell.exe
896	powershell.exe
896	powershell.exe
2328	powershell.exe
2328	powershell.exe
2076	powershell.exe
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2632	2904	taskeng.exe	32
PID 2904 wrote to memory of 2632	2904	taskeng.exe	32
PID 2904 wrote to memory of 2632	2904	taskeng.exe	32
PID 2632 wrote to memory of 2672	2632	WScript.exe	34
PID 2632 wrote to memory of 2672	2632	WScript.exe	34
PID 2632 wrote to memory of 2672	2632	WScript.exe	34
PID 2672 wrote to memory of 1480	2672	powershell.exe	36
PID 2672 wrote to memory of 1480	2672	powershell.exe	36
PID 2672 wrote to memory of 1480	2672	powershell.exe	36
PID 2632 wrote to memory of 2040	2632	WScript.exe	37
PID 2632 wrote to memory of 2040	2632	WScript.exe	37
PID 2632 wrote to memory of 2040	2632	WScript.exe	37
PID 2040 wrote to memory of 1896	2040	powershell.exe	39
PID 2040 wrote to memory of 1896	2040	powershell.exe	39
PID 2040 wrote to memory of 1896	2040	powershell.exe	39
PID 2632 wrote to memory of 2916	2632	WScript.exe	40
PID 2632 wrote to memory of 2916	2632	WScript.exe	40
PID 2632 wrote to memory of 2916	2632	WScript.exe	40
PID 2916 wrote to memory of 2232	2916	powershell.exe	42
PID 2916 wrote to memory of 2232	2916	powershell.exe	42
PID 2916 wrote to memory of 2232	2916	powershell.exe	42
PID 2632 wrote to memory of 448	2632	WScript.exe	43
PID 2632 wrote to memory of 448	2632	WScript.exe	43
PID 2632 wrote to memory of 448	2632	WScript.exe	43
PID 448 wrote to memory of 612	448	powershell.exe	45
PID 448 wrote to memory of 612	448	powershell.exe	45
PID 448 wrote to memory of 612	448	powershell.exe	45
PID 2632 wrote to memory of 896	2632	WScript.exe	46
PID 2632 wrote to memory of 896	2632	WScript.exe	46
PID 2632 wrote to memory of 896	2632	WScript.exe	46
PID 896 wrote to memory of 1288	896	powershell.exe	48
PID 896 wrote to memory of 1288	896	powershell.exe	48
PID 896 wrote to memory of 1288	896	powershell.exe	48
PID 2632 wrote to memory of 2328	2632	WScript.exe	49
PID 2632 wrote to memory of 2328	2632	WScript.exe	49
PID 2632 wrote to memory of 2328	2632	WScript.exe	49
PID 2328 wrote to memory of 2496	2328	powershell.exe	51
PID 2328 wrote to memory of 2496	2328	powershell.exe	51
PID 2328 wrote to memory of 2496	2328	powershell.exe	51
PID 2632 wrote to memory of 2076	2632	WScript.exe	52
PID 2632 wrote to memory of 2076	2632	WScript.exe	52
PID 2632 wrote to memory of 2076	2632	WScript.exe	52
PID 2076 wrote to memory of 2988	2076	powershell.exe	54
PID 2076 wrote to memory of 2988	2076	powershell.exe	54
PID 2076 wrote to memory of 2988	2076	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:2396

C:\Windows\system32\taskeng.exe
taskeng.exe {A8821227-1062-498B-BF64-6B26A53FA88A} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2672" "1236"
      4⤵
      PID:1480
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2040" "1252"
      4⤵
      PID:1896
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2916" "1236"
      4⤵
      PID:2232
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "448" "1248"
      4⤵
      PID:612
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "896" "1228"
      4⤵
      PID:1288
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2328" "1244"
      4⤵
      PID:2496
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2076" "1236"
      4⤵
      PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490094.txt

Filesize
1KB

MD5
b039cb813fb82b6f90d3f348b8aaec30

SHA1
9938180acc08862603fd03ca166a2f3247ed308e

SHA256
11c6bf6557f3da62a9e8b92fbf553412975486af2c519c27d14d1014c5b3d8f3

SHA512
ea33f22e573f5813b4d07bf9bb3dd0ed9ada23a1b565016e64b9886158a841dfad075cd418262581700ee29f0d4d151e60d2a065993cb78a79f823972f4a84de

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259506743.txt

Filesize
1KB

MD5
9695c6bad14139864b0bfd510b178695

SHA1
685bb9dfcb2c9690646d170caa5e379bf6cea2d7

SHA256
6d84d43d8e436ff3deeb5a9d9121d055c1bf98a214ff21e2d93e61bf5b3953e3

SHA512
bc8f06edaa102f0ee95df622bb601c7e65aa6a40ce19f343a13845c97e513c5c6e13ca7d60a6ea808e01ac8eaaa124cd41510650dad64b816441f2a82e9aef05

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259525213.txt

Filesize
1KB

MD5
021910900753cc324a535c597b499f0f

SHA1
b5536f1823a0122e5230a24d7d675c4c76ada230

SHA256
3c71259baadf7b156c16239f03a8f468c812d089efccb49854ebec7186c80bbf

SHA512
5e850d8945b979f80923c22fa9ee80d92e11b282afbb1a0ac1cc1a362ffd6b2762cf71c353da12ed89f032bf804661324b8d36d1d7c71eaab81e8352cc8b5c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259538244.txt

Filesize
1KB

MD5
5371e434bb5ae16fb947f21f84b7d8c2

SHA1
5ef80f4cd70e850df99b3c4626c7a5a2adc64248

SHA256
037b630ee5c7a0e1f1b69a4e01fd626fedd56b5f5ce2f6780afc10c24255944e

SHA512
ea05e9ed36169f4263db3971c2f426a1118cfa3c53e1e3958d66f0fc16c6180406aa3c13718bd0ca378587e1f1a3b95cbad0a18356de5b5d3bc692efa4c0277b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259552335.txt

Filesize
1KB

MD5
9bd63c00dad4fdeb0d33cfb88475bfc1

SHA1
355e82bd9c45190f1829008ebf2b8dbff9a0c1dd

SHA256
b85c12eeec5259449dd8163d1570d390428c560d305d4fba86bf1b352351d5ba

SHA512
79d8fd82d6ef9da556ec768a7e2de475d52d36562584ca0f41e1d814a5008cd795b4f830c7d35f57541c1678245f6d0d967965b06325295938c953e315e15ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570675.txt

Filesize
1KB

MD5
e8bf5778f3baf8dc6e908a91283d4580

SHA1
94b647365f544d61cce58446f49c6d4a449946a9

SHA256
8c1c7a170a810649adc345e2091d27e648c392cbe57c0562e0fdc7a62a45e393

SHA512
e155e9524c8b4d450c065bd8c2aaf44144b1a0daa242c115ba8cfa8f765a1f30e8f3091254315ed534dacd5bf9a66fd7758cf147d89a97e5f1e7d635773bc139

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259581592.txt

Filesize
1KB

MD5
2d3ad4a6622b6b943c6ce352a422e060

SHA1
d4b05dae166f8f3f8c12473e560b1df934b3c8c0

SHA256
79991c7f243c12b01a484b36900d484704e74bc9e984e26bcda5b19c1034d412

SHA512
3c67b0b2974555add32632076ae4f842b8c0f7b65418c1f4d3d22f670e003838f094f1329b91c571e447f2576cdfd45418c9314e054c06ab61ccb8964e7abecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2470b25e63605c36ba9db7225d069aeb

SHA1
bc62d1005a832cf7fde4771e3b06e9e0bfab5afd

SHA256
ffb9356f584a58799256dfcd6b5de5689732af6730a3d16ccf08a22b6ad6dcd1

SHA512
151935929d4ccb90379a9c5a93e37284a58073ae29c417a66897ad2620447bdd45d91ca0cb8ea77734881088904a8e2357bbe6e2d26c4ba67c60dc80905afb0a

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/2040-16-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2040-17-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2672-8-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2672-7-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2672-6-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download