e82da29ba80ba9f702db759c4ffb8e755db261421f74a222f9bdb7822999c24c

Analysis

max time kernel
143s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2692	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1608	powershell.exe
1608	powershell.exe
468	powershell.exe
468	powershell.exe
3004	powershell.exe
3004	powershell.exe
2012	powershell.exe
2012	powershell.exe
1440	powershell.exe
1440	powershell.exe
1640	powershell.exe
1640	powershell.exe
1468	powershell.exe
1468	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 3044	2584	taskeng.exe	31
PID 2584 wrote to memory of 3044	2584	taskeng.exe	31
PID 2584 wrote to memory of 3044	2584	taskeng.exe	31
PID 3044 wrote to memory of 1608	3044	WScript.exe	33
PID 3044 wrote to memory of 1608	3044	WScript.exe	33
PID 3044 wrote to memory of 1608	3044	WScript.exe	33
PID 1608 wrote to memory of 2748	1608	powershell.exe	35
PID 1608 wrote to memory of 2748	1608	powershell.exe	35
PID 1608 wrote to memory of 2748	1608	powershell.exe	35
PID 3044 wrote to memory of 468	3044	WScript.exe	36
PID 3044 wrote to memory of 468	3044	WScript.exe	36
PID 3044 wrote to memory of 468	3044	WScript.exe	36
PID 468 wrote to memory of 1208	468	powershell.exe	38
PID 468 wrote to memory of 1208	468	powershell.exe	38
PID 468 wrote to memory of 1208	468	powershell.exe	38
PID 3044 wrote to memory of 3004	3044	WScript.exe	39
PID 3044 wrote to memory of 3004	3044	WScript.exe	39
PID 3044 wrote to memory of 3004	3044	WScript.exe	39
PID 3004 wrote to memory of 1884	3004	powershell.exe	41
PID 3004 wrote to memory of 1884	3004	powershell.exe	41
PID 3004 wrote to memory of 1884	3004	powershell.exe	41
PID 3044 wrote to memory of 2012	3044	WScript.exe	42
PID 3044 wrote to memory of 2012	3044	WScript.exe	42
PID 3044 wrote to memory of 2012	3044	WScript.exe	42
PID 2012 wrote to memory of 1504	2012	powershell.exe	44
PID 2012 wrote to memory of 1504	2012	powershell.exe	44
PID 2012 wrote to memory of 1504	2012	powershell.exe	44
PID 3044 wrote to memory of 1440	3044	WScript.exe	45
PID 3044 wrote to memory of 1440	3044	WScript.exe	45
PID 3044 wrote to memory of 1440	3044	WScript.exe	45
PID 1440 wrote to memory of 1740	1440	powershell.exe	47
PID 1440 wrote to memory of 1740	1440	powershell.exe	47
PID 1440 wrote to memory of 1740	1440	powershell.exe	47
PID 3044 wrote to memory of 1640	3044	WScript.exe	48
PID 3044 wrote to memory of 1640	3044	WScript.exe	48
PID 3044 wrote to memory of 1640	3044	WScript.exe	48
PID 1640 wrote to memory of 892	1640	powershell.exe	50
PID 1640 wrote to memory of 892	1640	powershell.exe	50
PID 1640 wrote to memory of 892	1640	powershell.exe	50
PID 3044 wrote to memory of 1468	3044	WScript.exe	51
PID 3044 wrote to memory of 1468	3044	WScript.exe	51
PID 3044 wrote to memory of 1468	3044	WScript.exe	51
PID 1468 wrote to memory of 2276	1468	powershell.exe	53
PID 1468 wrote to memory of 2276	1468	powershell.exe	53
PID 1468 wrote to memory of 2276	1468	powershell.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {1B27C0F6-BCE2-4D96-846D-A733F1BC5DB4} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1608" "1248"
      4⤵
      PID:2748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "468" "1244"
      4⤵
      PID:1208
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3004" "1248"
      4⤵
      PID:1884
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2012" "1240"
      4⤵
      PID:1504
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1440" "1244"
      4⤵
      PID:1740
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1640" "1244"
      4⤵
      PID:892
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1468" "1248"
      4⤵
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259504151.txt

Filesize
1KB

MD5
eb9a7b89d76468991a005c9a327fc910

SHA1
1e6293cd9b5532729755ef52acce5d7dc0633301

SHA256
997fb27de6dfe2f624f261b6d6bc945a363887c249609b6d4e45fe3efaab05d9

SHA512
1a6cf967aa42968810664e72496ed5dbe6abc1588d7fe31d1d35acf2ec3981f0e162a4194c9ef6512c4c3d9ef529f8f4d7b5cdcf173bb68913c15ae469ecdfbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259520665.txt

Filesize
1KB

MD5
9db4f7fb94c6a555b38ccf15722cb287

SHA1
021341e942eb7c94ff32ce46be3603bab1856220

SHA256
d7b50f4ded4836e0fcdcaafe7731ae914783feae449ebf1e530e0b83ec64ff24

SHA512
3421267db61dbab6d067d40edb3994969fab410181d350a710e8cd051011d66ffa1a567da20d025a0e14a2de46f4526a53c077d31e0bcbe0808ce2a1de9fc9f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259536976.txt

Filesize
1KB

MD5
8d643869f67ff0cfa944349e70ce6272

SHA1
45beeae316a7f8e7dd5af3216c83f0ece323e842

SHA256
6332cbbc69be19e7dab2b8d0d1475a82b96bce897412808ad70568bea296bec4

SHA512
527928c8ff954e8091aaf81e1eeac5b408535baf99447a262b81361d0ee85211fd46e5e08ceba27d1899d46e2fac6b33024496569955669762427909a25a8de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259549322.txt

Filesize
1KB

MD5
b01338dbb7cee723428809f28640c12a

SHA1
5cb94d8fdb8c7a5a7894eb7546a84a9d25b61df9

SHA256
6a88c5b6fe561bd93c2263436b4b04a5544fad387f4277d3065a9f422ccb9eaa

SHA512
9a6ea13e9b9a0600f5dc6addc3c146945a3f4c4e174c4a07110b830cc8bee664dcb2cab74cd825f1f34c2df98930bbba0d97d20150dff90bd3d0e14175430fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259567541.txt

Filesize
1KB

MD5
f7344a1974a1811960d4e1b55c26ace1

SHA1
d00fc93f38828780c76bf51bad104cfcd7fbb94d

SHA256
b3dc83050d6bd80ba543597541bc48b3f479f824c5607fc111f299a960898b9c

SHA512
220effa68b18f472336cca3ccd9a99345c8959ebced21771070ef15e82378b34e3d49edb3aa6c59032954905f3fbc7e1c24148dad1a3ed027895ca4c0bfbfec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259580620.txt

Filesize
1KB

MD5
96c31cb9759cd05f3b99ab6027f90629

SHA1
b2a472007ee02d27fc292f2cff71f09fd50216cc

SHA256
6471023d6e47be732db331ac292125dc8777fa6f5adca22a77be52a3af56c554

SHA512
4d1c23d34fad1d9371b785b0c39f7997958dbbaa2dd5dc33e5bf0a5acba519e3cef3d7ccc1873bbdb587ac7679942f4788c635e74477d133e8fba3cfae0f54b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259597776.txt

Filesize
1KB

MD5
e1263487b013686a1fc2706a2fbc383f

SHA1
916ba5a66f7c80c3effd3d35b3de6a3b8979d015

SHA256
9b3e0dca9824b683883efa377e0bcbcf37eaae3b3ab13f60cf77690468a23ca6

SHA512
9a7b4ae1dbf569f1bc25194cde46c5f07dc1f449e485f01ce18b8762d6b87838d007898ea6411e47a3e7c6f924749c0532a29592bc2e90a0f1102dc18b071c54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0e004545fc73995d29418199a3b85b76

SHA1
14825bfe4325e53d2c7e5a248bfa6950701e1055

SHA256
7ce5ef4b734091b6e5be7749f044ca13b6cef77f6e601d3d17dac8cdbbcea5c1

SHA512
08fda779a203efbd0008c6ee9e634c5ea673207efb76bf292724a90a32a189096b6006c8a69be9d80742780fbf025606167c736479a378c1ce8c2cea861463e8

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/468-16-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/468-17-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1608-8-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/1608-7-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1608-6-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download