5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9

Analysis

max time kernel
143s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1840	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2908	powershell.exe
2908	powershell.exe
2652	powershell.exe
2652	powershell.exe
1248	powershell.exe
1248	powershell.exe
2748	powershell.exe
2748	powershell.exe
2032	powershell.exe
2032	powershell.exe
824	powershell.exe
824	powershell.exe
1000	powershell.exe
1000	powershell.exe
2296	powershell.exe
2296	powershell.exe
2536	powershell.exe
2536	powershell.exe
1896	powershell.exe
1896	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2148	2896	taskeng.exe	32
PID 2896 wrote to memory of 2148	2896	taskeng.exe	32
PID 2896 wrote to memory of 2148	2896	taskeng.exe	32
PID 2148 wrote to memory of 2908	2148	WScript.exe	34
PID 2148 wrote to memory of 2908	2148	WScript.exe	34
PID 2148 wrote to memory of 2908	2148	WScript.exe	34
PID 2908 wrote to memory of 2700	2908	powershell.exe	36
PID 2908 wrote to memory of 2700	2908	powershell.exe	36
PID 2908 wrote to memory of 2700	2908	powershell.exe	36
PID 2148 wrote to memory of 2652	2148	WScript.exe	37
PID 2148 wrote to memory of 2652	2148	WScript.exe	37
PID 2148 wrote to memory of 2652	2148	WScript.exe	37
PID 2652 wrote to memory of 2052	2652	powershell.exe	39
PID 2652 wrote to memory of 2052	2652	powershell.exe	39
PID 2652 wrote to memory of 2052	2652	powershell.exe	39
PID 2148 wrote to memory of 1248	2148	WScript.exe	40
PID 2148 wrote to memory of 1248	2148	WScript.exe	40
PID 2148 wrote to memory of 1248	2148	WScript.exe	40
PID 1248 wrote to memory of 1744	1248	powershell.exe	42
PID 1248 wrote to memory of 1744	1248	powershell.exe	42
PID 1248 wrote to memory of 1744	1248	powershell.exe	42
PID 2148 wrote to memory of 2748	2148	WScript.exe	43
PID 2148 wrote to memory of 2748	2148	WScript.exe	43
PID 2148 wrote to memory of 2748	2148	WScript.exe	43
PID 2748 wrote to memory of 2404	2748	powershell.exe	45
PID 2748 wrote to memory of 2404	2748	powershell.exe	45
PID 2748 wrote to memory of 2404	2748	powershell.exe	45
PID 2148 wrote to memory of 2032	2148	WScript.exe	46
PID 2148 wrote to memory of 2032	2148	WScript.exe	46
PID 2148 wrote to memory of 2032	2148	WScript.exe	46
PID 2032 wrote to memory of 1724	2032	powershell.exe	48
PID 2032 wrote to memory of 1724	2032	powershell.exe	48
PID 2032 wrote to memory of 1724	2032	powershell.exe	48
PID 2148 wrote to memory of 824	2148	WScript.exe	49
PID 2148 wrote to memory of 824	2148	WScript.exe	49
PID 2148 wrote to memory of 824	2148	WScript.exe	49
PID 824 wrote to memory of 1464	824	powershell.exe	51
PID 824 wrote to memory of 1464	824	powershell.exe	51
PID 824 wrote to memory of 1464	824	powershell.exe	51
PID 2148 wrote to memory of 1000	2148	WScript.exe	53
PID 2148 wrote to memory of 1000	2148	WScript.exe	53
PID 2148 wrote to memory of 1000	2148	WScript.exe	53
PID 1000 wrote to memory of 2500	1000	powershell.exe	55
PID 1000 wrote to memory of 2500	1000	powershell.exe	55
PID 1000 wrote to memory of 2500	1000	powershell.exe	55
PID 2148 wrote to memory of 2296	2148	WScript.exe	56
PID 2148 wrote to memory of 2296	2148	WScript.exe	56
PID 2148 wrote to memory of 2296	2148	WScript.exe	56
PID 2296 wrote to memory of 2376	2296	powershell.exe	58
PID 2296 wrote to memory of 2376	2296	powershell.exe	58
PID 2296 wrote to memory of 2376	2296	powershell.exe	58
PID 2148 wrote to memory of 2536	2148	WScript.exe	59
PID 2148 wrote to memory of 2536	2148	WScript.exe	59
PID 2148 wrote to memory of 2536	2148	WScript.exe	59
PID 2536 wrote to memory of 1876	2536	powershell.exe	61
PID 2536 wrote to memory of 1876	2536	powershell.exe	61
PID 2536 wrote to memory of 1876	2536	powershell.exe	61
PID 2148 wrote to memory of 1896	2148	WScript.exe	62
PID 2148 wrote to memory of 1896	2148	WScript.exe	62
PID 2148 wrote to memory of 1896	2148	WScript.exe	62
PID 1896 wrote to memory of 1020	1896	powershell.exe	64
PID 1896 wrote to memory of 1020	1896	powershell.exe	64
PID 1896 wrote to memory of 1020	1896	powershell.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9.vbe"
1⤵
- Blocklisted process makes network request
PID:1840

C:\Windows\system32\taskeng.exe
taskeng.exe {2D1137EB-04F6-4A79-912C-BF3D20A8CB31} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2908" "1240"
      4⤵
      PID:2700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2652" "1244"
      4⤵
      PID:2052
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1248" "1240"
      4⤵
      PID:1744
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2748" "1248"
      4⤵
      PID:2404
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2032" "1228"
      4⤵
      PID:1724
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "824" "1236"
      4⤵
      PID:1464
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1000" "1236"
      4⤵
      PID:2500
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2296" "1240"
      4⤵
      PID:2376
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2536" "1236"
      4⤵
      PID:1876
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1896" "1240"
      4⤵
      PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259453384.txt

Filesize
1KB

MD5
cb154183214bf5e2528365f5f71c9630

SHA1
bcfd44c573311dd4f8c6abd010e542e34152e07d

SHA256
4e7afdeef0925659b6e4e0da2d73ebf64b9c27e64feb4d531b38003b324c41d6

SHA512
f03b57bb3c2cd9601695b3545c67ec488810ac9bb096c12d9fbbee8f74eba91a8e3db12318aa13e9dffca2c56942618f21fb1d03ecb3427fae223347eabb4915

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259472932.txt

Filesize
1KB

MD5
039f4225edfb5571ec5b172bc60f8d21

SHA1
a2c70bcb6f1ab9d6056f41be065c33457cae777b

SHA256
9de9acd113048c5b1c4b78f88560ed58ff2d3260aec30beb1e9bf9b8e50d5f4f

SHA512
952f4f1f23d1c134eafd1a616cd18b0d47e8d0469f8079b3d06f41da1becefa4d3c8cad8173fdf9b46f277ad329873b2c9a87be01d275447992591aa3e07b85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259484500.txt

Filesize
1KB

MD5
384fce3931dc6f8a0120bc06c334d721

SHA1
6069453ac11b0cab2c3bbd09066d6956f85eb07a

SHA256
dde12e03021f6420fa2ace4faffe3422e4c883f01fa52c384b0fc2012c49bee0

SHA512
943e8feb90857d706848687ab245981009aae9fd0b934ada48fd40d40ec72ceb6ca47f51065c832751028ef46ace2b5330cd92e9ddec369fd9ed36259c5219f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259498051.txt

Filesize
1KB

MD5
7d8be96c17ee7ec545ff97fece44577a

SHA1
fc91db0423f3df156b75c31a453a5471e5aad319

SHA256
72a1d50466f7fff1dc0cedb3d0ca88f009b8dc7bc9839dd0c9cc7ed8a0886cb7

SHA512
689971a24662bb5bcb31aca7dfea944ded4544f6f93441c89e5aca95d2c7853410b2c6a5e666c80c18dc4892e5cf6963703b61d10d32551f05f4b903753761b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514875.txt

Filesize
1KB

MD5
3cb2c2f8725620bf86580048d7504561

SHA1
c14419143edfe1f33243d89d1424501f6466c94f

SHA256
2dc6d6845e22b7f2c8ea01554d755ebb9fbeb19922e0b72811d83ff2a36fee9e

SHA512
2bcd85bf95a9efc1435c25844094ab291dcb92b58d8b12d13eac9a2f04f007586e558edfa1eb8781f31797a098ea8c22e1e49a55be3f2b4f24773b30995553c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259531650.txt

Filesize
1KB

MD5
adb9b69e453f54a3a90d9000b7829682

SHA1
c8cf28ad0553c4c341f77c5456346273e9fd03f2

SHA256
0b5a712f2be022cfe48278ef367d115f6c48a0fef2682da190a627fc652117cd

SHA512
23807492129c45706c285f698af0736300eb1f4b6cf8f5680abec21f6c754bee7a03f6f8646545f3b89ffc2727fb74d3ba92758335f3744638562d64ecf0b370

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259547034.txt

Filesize
1KB

MD5
7804bec6c4adc755fdee3170760db10b

SHA1
4bbcae2723e2284f1a63beeaa886feb764cb63da

SHA256
ae9cbf2cb1e864acc1c47e8c8f6026bf0e5bed14175a366779ade61f7a77f15a

SHA512
a84dd9a876f6e0526239cd641836bbe36047b167a01b71b28a67b57d8275d7697a4c1de3b5e8459496aa458fec29f9ad268e72c953d20fe75529ba6f877f76c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259563267.txt

Filesize
1KB

MD5
925812ec1a571f0b5adaaa0cd37ca44e

SHA1
73cee2f831a861885459eaa391c0351425ab6f7f

SHA256
f1845a98a253e10a4beeab3ae8cf35b68f75259d59e7e87bb24e7f46f734353a

SHA512
94377e36fec4a9c2e255d648019aed6092a952577ee231a8eab54b058aaae24e3fe9442cdd565b9e1da83a885056895ce0761670eac77100b499e2e9fe52269f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259578575.txt

Filesize
1KB

MD5
20623819b805167030a62a6be93f41f9

SHA1
0a392a4060c6ab17968319c80ea76679a3f1fe0a

SHA256
36ef60da8678b52f4d2a9731a618c7f7d1bf9efe148cc58c5ed25413b7755467

SHA512
71145aba9b0fa31f75206538a54a6d67692e270c9c42a602a7465eb200a2b40d277c62d093ecffe260964d0fd7502656ed83cdc7474c7e6d007ef576a77306cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259590616.txt

Filesize
1KB

MD5
a06b6a843be87336b6af7be09d617ade

SHA1
acf2fb3303322d0a7348047796b47676a76cd702

SHA256
2096358b5f0e4220fec84bb672d73567d45b4f143e98006daeb3ab8d6c903be7

SHA512
9019bc0214e952549a5b8a49f602f8aedc9363541dcea21b69ef52b14219d2ee1c3eb25cba44284ab909558efaa161340fc19802981ae2ec0eb83a1889958571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f0449d1f07fc86b62ec769ea5e9c6877

SHA1
42dc023b3646c1d52cc3d77ca1eb3619233be30d

SHA256
830a32af4a1ba838651c0cef27bd00cbb1c4afec2e34a240b01515756211c42d

SHA512
b262a6652b23aec57c3d875923a06397831eff105b8621e2dbe34b2b5d93861beb4dc5ae0f7245885833cdf1c1401713b4a4cd159e871b216e6c79368910cd84

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/2652-17-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2652-16-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2908-7-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2908-8-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/2908-6-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download