1e50c25c7e56abecb3c802c2cb4dbb0863b203ef5becd1232732b2ce53dcbfdc

Analysis

max time kernel
146s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0969686.vbe
Size

11KB
MD5

4565da69d82d3d17f33436b132261de7
SHA1

5e124ae25d9ec64cc681546299e0fa2d4f4b50d4
SHA256

e2604e06a1d397760f22a668b48821dc20f06a8c3a28d165b9c96569b0e88bbb
SHA512

7390abe671d2ad1a430bfb69888cdcb7f6e9284cc9432338a5b1eddeb0624987b92a56009e50c283c46894256ca1ab43640cac3ecbf09bd4b69867cccb6f4329
SSDEEP

192:YeHNd/sigyX/tr7b7RMAv0Evwfk5Pv4fX//CxHQ6V62nN4je5K:zHMiTFPXHvwfk5PvQiHQ6EGijT

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1840	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2644	powershell.exe
2644	powershell.exe
568	powershell.exe
568	powershell.exe
1516	powershell.exe
1516	powershell.exe
2872	powershell.exe
2872	powershell.exe
824	powershell.exe
824	powershell.exe
3060	powershell.exe
3060	powershell.exe
616	powershell.exe
616	powershell.exe
2764	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2540	2656	taskeng.exe	32
PID 2656 wrote to memory of 2540	2656	taskeng.exe	32
PID 2656 wrote to memory of 2540	2656	taskeng.exe	32
PID 2540 wrote to memory of 2644	2540	WScript.exe	34
PID 2540 wrote to memory of 2644	2540	WScript.exe	34
PID 2540 wrote to memory of 2644	2540	WScript.exe	34
PID 2644 wrote to memory of 1164	2644	powershell.exe	36
PID 2644 wrote to memory of 1164	2644	powershell.exe	36
PID 2644 wrote to memory of 1164	2644	powershell.exe	36
PID 2540 wrote to memory of 568	2540	WScript.exe	37
PID 2540 wrote to memory of 568	2540	WScript.exe	37
PID 2540 wrote to memory of 568	2540	WScript.exe	37
PID 568 wrote to memory of 1720	568	powershell.exe	39
PID 568 wrote to memory of 1720	568	powershell.exe	39
PID 568 wrote to memory of 1720	568	powershell.exe	39
PID 2540 wrote to memory of 1516	2540	WScript.exe	40
PID 2540 wrote to memory of 1516	2540	WScript.exe	40
PID 2540 wrote to memory of 1516	2540	WScript.exe	40
PID 1516 wrote to memory of 1552	1516	powershell.exe	42
PID 1516 wrote to memory of 1552	1516	powershell.exe	42
PID 1516 wrote to memory of 1552	1516	powershell.exe	42
PID 2540 wrote to memory of 2872	2540	WScript.exe	43
PID 2540 wrote to memory of 2872	2540	WScript.exe	43
PID 2540 wrote to memory of 2872	2540	WScript.exe	43
PID 2872 wrote to memory of 952	2872	powershell.exe	45
PID 2872 wrote to memory of 952	2872	powershell.exe	45
PID 2872 wrote to memory of 952	2872	powershell.exe	45
PID 2540 wrote to memory of 824	2540	WScript.exe	47
PID 2540 wrote to memory of 824	2540	WScript.exe	47
PID 2540 wrote to memory of 824	2540	WScript.exe	47
PID 824 wrote to memory of 676	824	powershell.exe	49
PID 824 wrote to memory of 676	824	powershell.exe	49
PID 824 wrote to memory of 676	824	powershell.exe	49
PID 2540 wrote to memory of 3060	2540	WScript.exe	50
PID 2540 wrote to memory of 3060	2540	WScript.exe	50
PID 2540 wrote to memory of 3060	2540	WScript.exe	50
PID 3060 wrote to memory of 316	3060	powershell.exe	52
PID 3060 wrote to memory of 316	3060	powershell.exe	52
PID 3060 wrote to memory of 316	3060	powershell.exe	52
PID 2540 wrote to memory of 616	2540	WScript.exe	53
PID 2540 wrote to memory of 616	2540	WScript.exe	53
PID 2540 wrote to memory of 616	2540	WScript.exe	53
PID 616 wrote to memory of 2124	616	powershell.exe	55
PID 616 wrote to memory of 2124	616	powershell.exe	55
PID 616 wrote to memory of 2124	616	powershell.exe	55
PID 2540 wrote to memory of 2764	2540	WScript.exe	56
PID 2540 wrote to memory of 2764	2540	WScript.exe	56
PID 2540 wrote to memory of 2764	2540	WScript.exe	56
PID 2764 wrote to memory of 1712	2764	powershell.exe	58
PID 2764 wrote to memory of 1712	2764	powershell.exe	58
PID 2764 wrote to memory of 1712	2764	powershell.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0969686.vbe"
1⤵
- Blocklisted process makes network request
PID:1840

C:\Windows\system32\taskeng.exe
taskeng.exe {2D1137EB-04F6-4A79-912C-BF3D20A8CB31} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2644" "1244"
      4⤵
      PID:1164
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "568" "1244"
      4⤵
      PID:1720
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1516" "1240"
      4⤵
      PID:1552
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2872" "1244"
      4⤵
      PID:952
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "824" "1244"
      4⤵
      PID:676
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3060" "1236"
      4⤵
      PID:316
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "616" "1232"
      4⤵
      PID:2124
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2764" "1244"
      4⤵
      PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259486985.txt

Filesize
1KB

MD5
06a27bee4a77ee36d726bd05171142b9

SHA1
a9330cd33ed7ae1251762f2b1c3f9ce471e8d7d6

SHA256
531f0fa2c35c7d2a3c971bddc552acbe3cc916dfb9fef0d38d3ed79f4821bd73

SHA512
5a1d8bba1254e21c45fee11a7471708579e011a222c24969e93508af8557c195660db8e4f27ada73a2f988b19ab610e8fec214d3e2bcb6e54ef0f2f8374db46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259505125.txt

Filesize
1KB

MD5
3a4e07b79c8ffc18c356c9dc94226332

SHA1
d14315b249a34b1deeebb334e74d562af78d1524

SHA256
6759adb9820dde6c69969a94627fe2d674db3e23cf3e5cfd2a82ad9bd5b44c1d

SHA512
c8867b1d95058704a5a35527b428db97acc61fab83a517fbfe422e74eaa117738857b48cd147f5ddc535479a9c63e7210f3ab44061574bed77a276a4f651e39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259518791.txt

Filesize
1KB

MD5
1ad5bedc53d200d47b2c699b13e4bee9

SHA1
042e6655d6230f44102de31ac14cab5f7caa469b

SHA256
606ac3de350a353310878581f81f11d75bcbf2d97cede72c0f352484553f1564

SHA512
82fb375c095876bb2cc7eaa9eda48cb0f78477571fa071a82433500e2ade03ba37afea859844928f9e6efc5da8033b58c757a183dd25a8872592f4e8a054511d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259531920.txt

Filesize
1KB

MD5
2e8925f3733d0b543798ed6b915bf39a

SHA1
4c0264cbbe5e1e50e38c6006c2dc8e135807bad5

SHA256
e226bec78212afca0bdb206cc029ee597db03cbab3b66ab9725044d068536ad6

SHA512
bc0a9f88f3dc26cc48c8414a12fd91824d86e81eb35126ca83e79ffc0887ead547b952912543e0950845224eb7321a6e3e3fe84f81a504c57103e6f67d89a540

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259549440.txt

Filesize
1KB

MD5
2a638ffc7265965bbf1f70a314fb8fa1

SHA1
43afaa7e31540c2ef4b59ea91f898b4ebe379ba0

SHA256
e81a9eebfbb4c092af1f2ab8d035854402e45f5ced1550c806a63507272a5725

SHA512
102a1005764f74bd663e90e11e6888614a1e8bd49dc8862629ed49b5cf84f9dce217556a951bcdda21060e65a0a77d89a2f31d020296a40f831477f8394d178e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259567108.txt

Filesize
1KB

MD5
7229ef03234efec5a8dfd93682dbe0b7

SHA1
8418e95f8593393c961822f86f9834275eafd7fd

SHA256
3538a3e61dbb868c1d8b871d3e7e870923e47fde4bfbd2b53dd4d1c0a6bcd6e8

SHA512
497313f675f6dfe5d75562d6e5ee0f959beae56c6bd3d8690c030562fc4eb1b01fc487cc364697010b48fdaf8aa492a1d0c8f43f2addd360ed22eb435814e8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259580549.txt

Filesize
1KB

MD5
eeef18b22e2af696a007ef76a392222a

SHA1
3a20f90323eced01192257a8d72b0f1cb52c5d91

SHA256
f3a4152be983984cc35735d2b23cbf5e63a2ec5536a019e9ce90bc8da28911b5

SHA512
477a54cf697cb07f0eb10ea1e8a945517fae95526afd75ef8c89b231c6317644cef361a6e1ee98067947e6c92a0fb343562be37ddc756b1f794aba1bfdda9324

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259592454.txt

Filesize
1KB

MD5
e829d47722b0bd197e40e939f83018be

SHA1
919f74f8fdbe80ae8971472158357aa69a2bb30f

SHA256
4a04aa519e3a74f7a41479b554a23ef7726564d41bdd468c1ce5111c3227d0bc

SHA512
1b8a33c722f1f1a1b850c7c96e185d19c00e5c4b6d788d6c783f125930695c3a8ede843fff1e90b3ca84dee96573aee0e19594e4a243d62ec796f7d0ed17dca6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D1AMQLEY0IL5FA7MJ3M6.temp

Filesize
7KB

MD5
fd1049537c208c885405755a5c72115a

SHA1
8140db7c2b223250c9da0c84757f06ded8905bf9

SHA256
defc4979f2c1b975889cdb98a27a7eb6568ffa49cd782d8750359038c7ebf953

SHA512
88ab027b2ace130b07a475d6f0cb26db1ded0bae13f7fc23d977978681233ad91ab84e8da64dfd9a586f27542e3c7d1533244e10cf2da890bce45af4dcbb7bb6

Download Submit
C:\Users\Admin\AppData\Roaming\uaDoJtHubxengYS.vbs

Filesize
2KB

MD5
477e3b6cbf610f72373118d4ca9cdbb2

SHA1
ca88c1b80fa6248644497449c294f92b5a32b300

SHA256
9d75154b064fc63a3de686569088ef8c7ac31f2826dc4557d5e7074535bbdf3c

SHA512
ad3d81784cb1199839e66c7b88ac1da0c14a7f8a6f3f9a7bbb496fc953f02253733e5f7370efe5c08d9c5f4a9f037d84d814e958ea8715732d9e3df14b94b119

Download Submit
memory/568-16-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/568-17-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2644-6-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2644-7-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2644-8-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download