d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2004	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2708	powershell.exe
2708	powershell.exe
560	powershell.exe
560	powershell.exe
2364	powershell.exe
2364	powershell.exe
2348	powershell.exe
2348	powershell.exe
2284	powershell.exe
2284	powershell.exe
1700	powershell.exe
1700	powershell.exe
340	powershell.exe
340	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2936	2804	taskeng.exe	32
PID 2804 wrote to memory of 2936	2804	taskeng.exe	32
PID 2804 wrote to memory of 2936	2804	taskeng.exe	32
PID 2936 wrote to memory of 2708	2936	WScript.exe	34
PID 2936 wrote to memory of 2708	2936	WScript.exe	34
PID 2936 wrote to memory of 2708	2936	WScript.exe	34
PID 2708 wrote to memory of 1168	2708	powershell.exe	36
PID 2708 wrote to memory of 1168	2708	powershell.exe	36
PID 2708 wrote to memory of 1168	2708	powershell.exe	36
PID 2936 wrote to memory of 560	2936	WScript.exe	37
PID 2936 wrote to memory of 560	2936	WScript.exe	37
PID 2936 wrote to memory of 560	2936	WScript.exe	37
PID 560 wrote to memory of 2968	560	powershell.exe	39
PID 560 wrote to memory of 2968	560	powershell.exe	39
PID 560 wrote to memory of 2968	560	powershell.exe	39
PID 2936 wrote to memory of 2364	2936	WScript.exe	40
PID 2936 wrote to memory of 2364	2936	WScript.exe	40
PID 2936 wrote to memory of 2364	2936	WScript.exe	40
PID 2364 wrote to memory of 2436	2364	powershell.exe	42
PID 2364 wrote to memory of 2436	2364	powershell.exe	42
PID 2364 wrote to memory of 2436	2364	powershell.exe	42
PID 2936 wrote to memory of 2348	2936	WScript.exe	43
PID 2936 wrote to memory of 2348	2936	WScript.exe	43
PID 2936 wrote to memory of 2348	2936	WScript.exe	43
PID 2348 wrote to memory of 948	2348	powershell.exe	45
PID 2348 wrote to memory of 948	2348	powershell.exe	45
PID 2348 wrote to memory of 948	2348	powershell.exe	45
PID 2936 wrote to memory of 2284	2936	WScript.exe	46
PID 2936 wrote to memory of 2284	2936	WScript.exe	46
PID 2936 wrote to memory of 2284	2936	WScript.exe	46
PID 2284 wrote to memory of 2240	2284	powershell.exe	48
PID 2284 wrote to memory of 2240	2284	powershell.exe	48
PID 2284 wrote to memory of 2240	2284	powershell.exe	48
PID 2936 wrote to memory of 1700	2936	WScript.exe	49
PID 2936 wrote to memory of 1700	2936	WScript.exe	49
PID 2936 wrote to memory of 1700	2936	WScript.exe	49
PID 1700 wrote to memory of 2556	1700	powershell.exe	51
PID 1700 wrote to memory of 2556	1700	powershell.exe	51
PID 1700 wrote to memory of 2556	1700	powershell.exe	51
PID 2936 wrote to memory of 340	2936	WScript.exe	52
PID 2936 wrote to memory of 340	2936	WScript.exe	52
PID 2936 wrote to memory of 340	2936	WScript.exe	52
PID 340 wrote to memory of 2268	340	powershell.exe	54
PID 340 wrote to memory of 2268	340	powershell.exe	54
PID 340 wrote to memory of 2268	340	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {3D3A7DC3-3A05-4AD6-84C9-96AA1E6DACA3} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2708" "1240"
      4⤵
      PID:1168
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "560" "1240"
      4⤵
      PID:2968
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2364" "1236"
      4⤵
      PID:2436
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2348" "1244"
      4⤵
      PID:948
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2284" "1244"
      4⤵
      PID:2240
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1700" "1248"
      4⤵
      PID:2556
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:340
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "340" "1236"
      4⤵
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259486376.txt

Filesize
1KB

MD5
266c821ed5c8dd3bd2390b4bdc1aa3f0

SHA1
0ab766512d2a2f2e9ed7eb84f77f6c6a50665542

SHA256
31af2e937f8b2079a55dd891f98a98a30527d0eb3ef525187572b076b48a1540

SHA512
120406f3d84a8ddb279182572f9089fe3f076ffb7364da28d1c404d9151c206ab2d0fe98141edaf440cad14438cd77ab452635050abe2864c5472609851134c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259502456.txt

Filesize
1KB

MD5
af1b6228426c54fb436b346b409ad944

SHA1
14feb6c8bd13fee55a388efb17c7f2025b53a046

SHA256
bb600da94660a02b58bfa5c2691efb10b60d8ae93df804261cc0dd6dbb72557f

SHA512
3648f1006c09bfea2c18d772c69ef78af9b25abab725aa1c5d1bf754dc2e1e05526248d09258cc744c3831109c080c2cda2c852cc2297ccbcb13748962d7bc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259515595.txt

Filesize
1KB

MD5
fc224d76fe4f85fe2df1c9d5e3ba3a3e

SHA1
2b099cd11d6ba714786c992bd162ae1a0bd6bb38

SHA256
ef73e0aa43c986bcf7bd4b4112a034e738c9158ba939e66a7059d2d7d8c40267

SHA512
6b7317aa525cdb89af77d7084c5ad719ee35df41c2541cb11fa8d42e4d6536ad70be4977f1917a955435371b610fb68f4463bb41b61c9541a968f5f5bf3ceb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259530829.txt

Filesize
1KB

MD5
9b8a4ae86f77cdc2b3b6f50070ffe35d

SHA1
a05cfb6bfe00fef4afeb7324ba33f6b8181ce6ef

SHA256
fb0b67cc74b8ebdb25fbeba7131943aa395e4cfc311d64fc55fef1b4dc0c514e

SHA512
a06d1c74b8f7698498367a9ab15dada3d4bca74f8ba755de4c2d603c80af1926f17c525aa5f0ecd1fdf3b5eb853ab097430ad48b8a03fe9717385f26effaf293

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259550272.txt

Filesize
1KB

MD5
d411d7e96f38272e30ab52c8167e10ad

SHA1
4922162cfde7fd0dd2e915978c82a8b2bad88fc6

SHA256
a765bbe9ccc400bfd3397867805f3da215c02bba027ef8daf7f16d24167e6cb2

SHA512
08168284abae413beee015e7b8d06245e784638378b65b94ed90d10e697b377cf384a49d194dc9b7ae8aa951dc34f046cc7b14c05b5588a44665eb5d53004363

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259561811.txt

Filesize
1KB

MD5
576014a1845b254fba5b056766b5268f

SHA1
cbc03cea8b1af808a5b29682beae63ee29971adc

SHA256
56318a771e422c1c820465f96d6251a903532fb5dc8f49f59634a25b353038e4

SHA512
949781a321a1a5180998042afd7c18c06f5ee26937aac0f84b6914d7e1e43647b249763e227c3fc197d7b26554d4a267d421517655df699b1f85478fcbffc0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259578448.txt

Filesize
1KB

MD5
4bd07e5398de3bea31beb73a4c98e519

SHA1
acb34adb114138f493025005f2f99c90e028f8d8

SHA256
1d41e46f04fd89bad5e441df88bb656c30f929c2069274f8d82650fc969f04bd

SHA512
95878841b22f001ee5f9cdc320952da4b49b54635a6d4ccd9f4cbd53296ea6cb474a0ad813df0a4c399b5a34eaade643ef7f8bf4b6081e2910c326a8ae8ef1dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4e3e41f28c09e664532ef75bd47bdb95

SHA1
a47b15f614816e2d70176567371fa1eb7aeb69b2

SHA256
39c734a8d6d35752d6ec6e2aeea2fcb59022582dff034eddecf7cfc2d5d091c3

SHA512
7626140ce831d59145dddf79692e7528f44b3f98a2fc68f1ec14ed14caebe17a59b151a2f0822949d2b1e4e0e27ed72370f700bfdbbf002969d7156b9d049bea

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/560-16-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/560-17-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2708-8-0x0000000002BE0000-0x0000000002BE8000-memory.dmp

Filesize
32KB

Download
memory/2708-7-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2708-6-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download