1a8d599848e922f122bf3ab673b87369f05eb2746d0b6b0833aefb137341d58b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	316	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2764	powershell.exe
2764	powershell.exe
2664	powershell.exe
2664	powershell.exe
2084	powershell.exe
2084	powershell.exe
1792	powershell.exe
1792	powershell.exe
1324	powershell.exe
1324	powershell.exe
2980	powershell.exe
2980	powershell.exe
2100	powershell.exe
2100	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1264	1784	taskeng.exe	32
PID 1784 wrote to memory of 1264	1784	taskeng.exe	32
PID 1784 wrote to memory of 1264	1784	taskeng.exe	32
PID 1264 wrote to memory of 2764	1264	WScript.exe	34
PID 1264 wrote to memory of 2764	1264	WScript.exe	34
PID 1264 wrote to memory of 2764	1264	WScript.exe	34
PID 2764 wrote to memory of 2696	2764	powershell.exe	36
PID 2764 wrote to memory of 2696	2764	powershell.exe	36
PID 2764 wrote to memory of 2696	2764	powershell.exe	36
PID 1264 wrote to memory of 2664	1264	WScript.exe	37
PID 1264 wrote to memory of 2664	1264	WScript.exe	37
PID 1264 wrote to memory of 2664	1264	WScript.exe	37
PID 2664 wrote to memory of 2360	2664	powershell.exe	39
PID 2664 wrote to memory of 2360	2664	powershell.exe	39
PID 2664 wrote to memory of 2360	2664	powershell.exe	39
PID 1264 wrote to memory of 2084	1264	WScript.exe	40
PID 1264 wrote to memory of 2084	1264	WScript.exe	40
PID 1264 wrote to memory of 2084	1264	WScript.exe	40
PID 2084 wrote to memory of 804	2084	powershell.exe	42
PID 2084 wrote to memory of 804	2084	powershell.exe	42
PID 2084 wrote to memory of 804	2084	powershell.exe	42
PID 1264 wrote to memory of 1792	1264	WScript.exe	43
PID 1264 wrote to memory of 1792	1264	WScript.exe	43
PID 1264 wrote to memory of 1792	1264	WScript.exe	43
PID 1792 wrote to memory of 2180	1792	powershell.exe	45
PID 1792 wrote to memory of 2180	1792	powershell.exe	45
PID 1792 wrote to memory of 2180	1792	powershell.exe	45
PID 1264 wrote to memory of 1324	1264	WScript.exe	46
PID 1264 wrote to memory of 1324	1264	WScript.exe	46
PID 1264 wrote to memory of 1324	1264	WScript.exe	46
PID 1324 wrote to memory of 2156	1324	powershell.exe	48
PID 1324 wrote to memory of 2156	1324	powershell.exe	48
PID 1324 wrote to memory of 2156	1324	powershell.exe	48
PID 1264 wrote to memory of 2980	1264	WScript.exe	49
PID 1264 wrote to memory of 2980	1264	WScript.exe	49
PID 1264 wrote to memory of 2980	1264	WScript.exe	49
PID 2980 wrote to memory of 2020	2980	powershell.exe	51
PID 2980 wrote to memory of 2020	2980	powershell.exe	51
PID 2980 wrote to memory of 2020	2980	powershell.exe	51
PID 1264 wrote to memory of 2100	1264	WScript.exe	52
PID 1264 wrote to memory of 2100	1264	WScript.exe	52
PID 1264 wrote to memory of 2100	1264	WScript.exe	52
PID 2100 wrote to memory of 2788	2100	powershell.exe	54
PID 2100 wrote to memory of 2788	2100	powershell.exe	54
PID 2100 wrote to memory of 2788	2100	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:316

C:\Windows\system32\taskeng.exe
taskeng.exe {F982A603-AE4A-4B44-BD01-D3747560998F} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2764" "1244"
      4⤵
      PID:2696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2664" "1236"
      4⤵
      PID:2360
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2084" "1248"
      4⤵
      PID:804
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1792" "1236"
      4⤵
      PID:2180
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1324" "1248"
      4⤵
      PID:2156
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2980" "1240"
      4⤵
      PID:2020
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2100" "1244"
      4⤵
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259480876.txt

Filesize
1KB

MD5
5aaaaade042513a8ed4039e9e815ac4c

SHA1
c230aa514cf8e52d84412ef38ec312290ec10c31

SHA256
36fe846fc45249579d9fffea7d9ec82e966f2f46f643c4f85bb1246daabd6fbb

SHA512
0a72adf0a351a078096b0519b301283d048125d0746dfab52f76b52ead4a572b73e16e8fc60399ebe5bd029a2471ba6057ddf2138c777e0e5e2eec5b2342d3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496734.txt

Filesize
1KB

MD5
fb92b90e217ffaac1e580005711c5476

SHA1
68624f3b9034a4cf3ae03314a3717f3d7855904b

SHA256
9c681380c54d85cd713cf8f0069c08e6bbe6da6e341b553aaf9139d4ffcf1d7f

SHA512
ac079e88deb8e9f31882fdb6ca26897c03b8571830b726780189df8962a14b67d53b8bf8dc92a4eb2de557dacc7081423da074fdf63eecc8c8efaa633dadc415

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259507201.txt

Filesize
1KB

MD5
387d97fe9e07a15afe57f4cddab7650e

SHA1
90cdd1896ba09fb359ed53abcd70d459b4539d74

SHA256
198b52e9d2d5e8abc2bfcde209a0c2d3566360793b6f5c64a2cab99ae7ac84c6

SHA512
3c442f15f8e1c99a36eec1ac59f340a7ca7abb28713eed23be600a9de502c53664b566effd4b83214bbf38e264092945ecece3c1086766d762d2c3442a992f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523044.txt

Filesize
1KB

MD5
21f1d75e74ef3bde04a05ac6cc45299a

SHA1
e381534bf401494d529d343509d0872200673320

SHA256
65d1985f6dd4e961ca99bc01996d0cd5a751a5883d99bcbbb7ca00b873ab2357

SHA512
9999b4edfeec603cd9dfac05a01134ee0b6af3f2d982a8493b0933da98c5206a17720140c2f838fd39da832598214f447af00435d17d65e16413e45f58995629

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540221.txt

Filesize
1KB

MD5
49d4c399ea6050775cd0169dfde0b36d

SHA1
f2871f156018cca26e5371049cb817a4b8dd59ee

SHA256
03006cd501a44341a7e97aecb6b97d688b5fd356f986b7294c7805f3d1d18ef9

SHA512
588159517849d6d27470876daf54a38d3cf24537a5df96aefcc85204e826e1644a6f0577cd1d6764275c121ec4936ccee007be9f5e0d174b4a639a45b50db5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259571624.txt

Filesize
1KB

MD5
6b16aff8d4ca9a19eab18e9415f2853b

SHA1
bb0dfe8b7320e51b68b679e7a1f57aeca4d4d333

SHA256
64ef4144b0a1889563c9eb8631fd974cf6da321c764e885910d4634fee6dc133

SHA512
a988b01164546e42e90b63ff3e4c824a1ae9f7cb147f957f36db3c0bc559bbda5828bfaf87aae712b1b55a306e389f4144334c47ae296670dc2b7975afd1dbf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WAYLSYDO7CZUBF9ZLS26.temp

Filesize
7KB

MD5
9a22ab66e3c620753a9686592b8efb90

SHA1
75c352a134429df41af9e34c11c8bc29d5330513

SHA256
84edfb7a51ca12cdd41cb33e2e25edead46868d0368e0332a380c0a17adba17b

SHA512
2ae3aa547e65e004511df9219f9540165d68329949227917a42b5742ce42dede91bc1b0baf2ddef6f001cb27443d08262d3e69e264ef3b59d98a14eca6766b66

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/2664-16-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-17-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2764-8-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2764-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2764-6-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download