e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0969686.vbe
Size

11KB
MD5

4565da69d82d3d17f33436b132261de7
SHA1

5e124ae25d9ec64cc681546299e0fa2d4f4b50d4
SHA256

e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb
SHA512

7390abe671d2ad1a430bfb69888cdcb7f6e9284cc9432338a5b1eddeb0624987b92a56009e50c283c46894256ca1ab43640cac3ecbf09bd4b69867cccb6f4329
SSDEEP

192:YeHNd/sigyX/tr7b7RMAv0Evwfk5Pv4fX//CxHQ6V62nN4je5K:zHMiTFPXHvwfk5PvQiHQ6EGijT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1924	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1664	powershell.exe
1664	powershell.exe
2596	powershell.exe
2596	powershell.exe
2960	powershell.exe
2960	powershell.exe
2572	powershell.exe
2572	powershell.exe
2440	powershell.exe
2440	powershell.exe
1308	powershell.exe
1308	powershell.exe
2504	powershell.exe
2504	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2632	2904	taskeng.exe	32
PID 2904 wrote to memory of 2632	2904	taskeng.exe	32
PID 2904 wrote to memory of 2632	2904	taskeng.exe	32
PID 2632 wrote to memory of 1664	2632	WScript.exe	34
PID 2632 wrote to memory of 1664	2632	WScript.exe	34
PID 2632 wrote to memory of 1664	2632	WScript.exe	34
PID 1664 wrote to memory of 2680	1664	powershell.exe	36
PID 1664 wrote to memory of 2680	1664	powershell.exe	36
PID 1664 wrote to memory of 2680	1664	powershell.exe	36
PID 2632 wrote to memory of 2596	2632	WScript.exe	37
PID 2632 wrote to memory of 2596	2632	WScript.exe	37
PID 2632 wrote to memory of 2596	2632	WScript.exe	37
PID 2596 wrote to memory of 1700	2596	powershell.exe	39
PID 2596 wrote to memory of 1700	2596	powershell.exe	39
PID 2596 wrote to memory of 1700	2596	powershell.exe	39
PID 2632 wrote to memory of 2960	2632	WScript.exe	40
PID 2632 wrote to memory of 2960	2632	WScript.exe	40
PID 2632 wrote to memory of 2960	2632	WScript.exe	40
PID 2960 wrote to memory of 2184	2960	powershell.exe	42
PID 2960 wrote to memory of 2184	2960	powershell.exe	42
PID 2960 wrote to memory of 2184	2960	powershell.exe	42
PID 2632 wrote to memory of 2572	2632	WScript.exe	43
PID 2632 wrote to memory of 2572	2632	WScript.exe	43
PID 2632 wrote to memory of 2572	2632	WScript.exe	43
PID 2572 wrote to memory of 2260	2572	powershell.exe	45
PID 2572 wrote to memory of 2260	2572	powershell.exe	45
PID 2572 wrote to memory of 2260	2572	powershell.exe	45
PID 2632 wrote to memory of 2440	2632	WScript.exe	46
PID 2632 wrote to memory of 2440	2632	WScript.exe	46
PID 2632 wrote to memory of 2440	2632	WScript.exe	46
PID 2440 wrote to memory of 1952	2440	powershell.exe	48
PID 2440 wrote to memory of 1952	2440	powershell.exe	48
PID 2440 wrote to memory of 1952	2440	powershell.exe	48
PID 2632 wrote to memory of 1308	2632	WScript.exe	49
PID 2632 wrote to memory of 1308	2632	WScript.exe	49
PID 2632 wrote to memory of 1308	2632	WScript.exe	49
PID 1308 wrote to memory of 3068	1308	powershell.exe	51
PID 1308 wrote to memory of 3068	1308	powershell.exe	51
PID 1308 wrote to memory of 3068	1308	powershell.exe	51
PID 2632 wrote to memory of 2504	2632	WScript.exe	52
PID 2632 wrote to memory of 2504	2632	WScript.exe	52
PID 2632 wrote to memory of 2504	2632	WScript.exe	52
PID 2504 wrote to memory of 2820	2504	powershell.exe	54
PID 2504 wrote to memory of 2820	2504	powershell.exe	54
PID 2504 wrote to memory of 2820	2504	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0969686.vbe"
1⤵
- Blocklisted process makes network request
PID:1924

C:\Windows\system32\taskeng.exe
taskeng.exe {9578D35F-5F93-4604-8967-542B89EEA2C1} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1664" "1240"
      4⤵
      PID:2680
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2596" "1236"
      4⤵
      PID:1700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2960" "1236"
      4⤵
      PID:2184
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2572" "1236"
      4⤵
      PID:2260
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2440" "1236"
      4⤵
      PID:1952
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1308" "1236"
      4⤵
      PID:3068
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2504" "1248"
      4⤵
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259485897.txt

Filesize
1KB

MD5
16aeaea5f7d484542819e4750fd5c99d

SHA1
fa36d658dd1c674367b32aaa3448e25ac2100609

SHA256
288b9c1b18469f24b46bef792b238ec4c0437f736f48c07f45f62d376495cf6b

SHA512
20af528a35c13fc41bbde59cadb176942f21428937b6c287e215d1e717707a5a354980a461fa4d8753a91d678e74ffa55c9e6e9953f78a72408d7711af675c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259504797.txt

Filesize
1KB

MD5
b51e6e84182487483c80cebf00aff88a

SHA1
74180defd4f817a53fc9c31998ce037eac18e608

SHA256
98948041ba7b914f5a0b52a7e077bddaf12b5e6b75f24ad6ff94509e5166539a

SHA512
cd30dc1d474113a14e2d8c072caf44ced97329139ed59580bb9302dde493265fe23bae6d734d6d9fd84a1574c234500ec74a6b8d717b46b39e581ed029dc4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514422.txt

Filesize
1KB

MD5
e6afd2f20b3b8f5bd73c108f217e8b6a

SHA1
2011fede547b8f8b45e619f23c4f6aa748d8e9e6

SHA256
1d9d8e4b97953b02575a1ecac95189b53912726f711039140de375beeab609c1

SHA512
d1834537d26c9c41427776af6a58686e3e014083e4895c2b8d071d7d7abb3e18b2a513b62bd81480287d97ccb1e243d116af889982badab0823486f59553eda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259533960.txt

Filesize
1KB

MD5
808641aee32d933a873f40412ef74b76

SHA1
385ba3b3eaa5dd10693c2f82ce92353fb556a8dc

SHA256
6a4495b1f8827d44491c69750a4496b19f03ef4826ce2007d02bb8abfbd7cd08

SHA512
b7966adfd12af2d1d9c4b420823fb1c31b69db31084f36ec7848e2b3c287cc3618bfc506aab6eb0518f373b4330dd1c7b93db49e36e24f50b9ffbddb1bde60b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259549402.txt

Filesize
1KB

MD5
3299982425869541071b6233f6531b6a

SHA1
aa58826b9a477ea89a8c8a70db73fe81f03e3940

SHA256
92644c657ff3cce96974ffc17c0d8b0d0ef6441b622679c53297a7b372747dc3

SHA512
a2ff039a37bc11a999889792f0bd313342dd3b48da0a772430a57fddb1d767c2a98e5fd362e8b031edd67dea4a212b20ebdb0a8c43ba48b58416f84bbad7f54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259561936.txt

Filesize
1KB

MD5
1efa2946dd0b09dfaa1b743789e704d9

SHA1
6bf6cbd24060ce500870c3f066a06b785e2b18d6

SHA256
3229d8f15fa1643fcc495afbbf8230a104a553a655dfe05d73271a8fbc5aacb5

SHA512
fac59573993bfaf62aceafe3f015cf580d8956a59c546d7c442573215747f3788042e7d8a81709dc986fdba10f8005bbcc47acddd09d8361e856b90850605cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259579393.txt

Filesize
1KB

MD5
70fd4aa13ba09b417c2433d341eb5dc3

SHA1
4db83b680871bc77e80f3a2d41567495e6a50fa7

SHA256
0abf7bf1d1f9b00908e29ced3af4673200c69785075bfcf52a5532ebcf92ebce

SHA512
da2dbb700e47fa98a5d52c59d500cd59bef6937b93b2d4a4852e210c869390041dcd25063cdccc49231bc69d071097a700769c1d9d460c99fcdfa19d8678bb8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d34e336ce20fc6535ca82c4448170607

SHA1
9225476f869bc14765acd2269a3bb32fd776250b

SHA256
0a504060169a433956201cb19195f0e9290019311ea13ad665f968c0a300df6f

SHA512
890780ec434f8cbbb68be7cf67eb33960d15015bfea6951ef215f3bcc1a850f8764c4c759103ea65beb2519f8b7d22b77dad23f3ac6aec12572895ebd85dd377

Download Submit
C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs

Filesize
2KB

MD5
477e3b6cbf610f72373118d4ca9cdbb2

SHA1
ca88c1b80fa6248644497449c294f92b5a32b300

SHA256
9d75154b064fc63a3de686569088ef8c7ac31f2826dc4557d5e7074535bbdf3c

SHA512
ad3d81784cb1199839e66c7b88ac1da0c14a7f8a6f3f9a7bbb496fc953f02253733e5f7370efe5c08d9c5f4a9f037d84d814e958ea8715732d9e3df14b94b119

Download Submit
memory/1664-8-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download
memory/1664-6-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1664-7-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2596-17-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2596-16-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download