5edc00ae5ea6c8a2453bfaacf8b4cf6360027e1c066bd3c96dc4106af5c3b88f

Analysis

max time kernel
150s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3004	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2728	powershell.exe
2728	powershell.exe
1332	powershell.exe
1332	powershell.exe
2500	powershell.exe
2500	powershell.exe
2640	powershell.exe
2640	powershell.exe
1796	powershell.exe
1796	powershell.exe
1752	powershell.exe
1752	powershell.exe
1628	powershell.exe
1628	powershell.exe
2832	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3000	2312	taskeng.exe	30
PID 2312 wrote to memory of 3000	2312	taskeng.exe	30
PID 2312 wrote to memory of 3000	2312	taskeng.exe	30
PID 3000 wrote to memory of 2728	3000	WScript.exe	32
PID 3000 wrote to memory of 2728	3000	WScript.exe	32
PID 3000 wrote to memory of 2728	3000	WScript.exe	32
PID 2728 wrote to memory of 288	2728	powershell.exe	34
PID 2728 wrote to memory of 288	2728	powershell.exe	34
PID 2728 wrote to memory of 288	2728	powershell.exe	34
PID 3000 wrote to memory of 1332	3000	WScript.exe	35
PID 3000 wrote to memory of 1332	3000	WScript.exe	35
PID 3000 wrote to memory of 1332	3000	WScript.exe	35
PID 1332 wrote to memory of 2552	1332	powershell.exe	37
PID 1332 wrote to memory of 2552	1332	powershell.exe	37
PID 1332 wrote to memory of 2552	1332	powershell.exe	37
PID 3000 wrote to memory of 2500	3000	WScript.exe	38
PID 3000 wrote to memory of 2500	3000	WScript.exe	38
PID 3000 wrote to memory of 2500	3000	WScript.exe	38
PID 2500 wrote to memory of 1140	2500	powershell.exe	40
PID 2500 wrote to memory of 1140	2500	powershell.exe	40
PID 2500 wrote to memory of 1140	2500	powershell.exe	40
PID 3000 wrote to memory of 2640	3000	WScript.exe	41
PID 3000 wrote to memory of 2640	3000	WScript.exe	41
PID 3000 wrote to memory of 2640	3000	WScript.exe	41
PID 2640 wrote to memory of 2112	2640	powershell.exe	43
PID 2640 wrote to memory of 2112	2640	powershell.exe	43
PID 2640 wrote to memory of 2112	2640	powershell.exe	43
PID 3000 wrote to memory of 1796	3000	WScript.exe	44
PID 3000 wrote to memory of 1796	3000	WScript.exe	44
PID 3000 wrote to memory of 1796	3000	WScript.exe	44
PID 1796 wrote to memory of 2296	1796	powershell.exe	46
PID 1796 wrote to memory of 2296	1796	powershell.exe	46
PID 1796 wrote to memory of 2296	1796	powershell.exe	46
PID 3000 wrote to memory of 1752	3000	WScript.exe	47
PID 3000 wrote to memory of 1752	3000	WScript.exe	47
PID 3000 wrote to memory of 1752	3000	WScript.exe	47
PID 1752 wrote to memory of 2484	1752	powershell.exe	49
PID 1752 wrote to memory of 2484	1752	powershell.exe	49
PID 1752 wrote to memory of 2484	1752	powershell.exe	49
PID 3000 wrote to memory of 1628	3000	WScript.exe	50
PID 3000 wrote to memory of 1628	3000	WScript.exe	50
PID 3000 wrote to memory of 1628	3000	WScript.exe	50
PID 1628 wrote to memory of 2632	1628	powershell.exe	52
PID 1628 wrote to memory of 2632	1628	powershell.exe	52
PID 1628 wrote to memory of 2632	1628	powershell.exe	52
PID 3000 wrote to memory of 2832	3000	WScript.exe	53
PID 3000 wrote to memory of 2832	3000	WScript.exe	53
PID 3000 wrote to memory of 2832	3000	WScript.exe	53
PID 2832 wrote to memory of 2560	2832	powershell.exe	55
PID 2832 wrote to memory of 2560	2832	powershell.exe	55
PID 2832 wrote to memory of 2560	2832	powershell.exe	55
PID 3000 wrote to memory of 2608	3000	WScript.exe	56
PID 3000 wrote to memory of 2608	3000	WScript.exe	56
PID 3000 wrote to memory of 2608	3000	WScript.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:3004

C:\Windows\system32\taskeng.exe
taskeng.exe {89F4EE23-31C9-4104-BEA5-DB01C8F82107} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2728" "1248"
      4⤵
      PID:288
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1332" "1260"
      4⤵
      PID:2552
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2500" "1248"
      4⤵
      PID:1140
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2640" "1256"
      4⤵
      PID:2112
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1796" "1252"
      4⤵
      PID:2296
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1752" "1256"
      4⤵
      PID:2484
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1628" "1256"
      4⤵
      PID:2632
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2832" "1260"
      4⤵
      PID:2560
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259544867.txt

Filesize
1KB

MD5
55d36be435c356bd70190071bb310cdf

SHA1
a4fd9782f5e5ac44ec6c16646f4ccf3878841b51

SHA256
719e093af76d4af96a7aabd882f047ca34a0dad410cce9ba726e4c995fd59d01

SHA512
f52adc424313ff543224de38114d4275a5f813904ff4130b104b470494ba56f1f4b7829f20c9de331fc62eef377bce103681f99fe34ed652581d486d8dd2ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259560052.txt

Filesize
1KB

MD5
df692f33a4fbeedf9fa3380a68aa82da

SHA1
b8f569690d93761eb7ef61be53e0cb65eb9c1ce6

SHA256
b0d073d8429d18243ff46a27b7be0c0729aa21571d54d30c5e9a8cd1bf610672

SHA512
a6c70e126a995a40314ac087ab9ee4fed12412be359f1b635fd0b7e4dc91047cc9ce60950a0db7e8fdb5683df015ce768e94c015a8983b709df277b9b3584f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259579365.txt

Filesize
1KB

MD5
e4d613853ff3563296274991661bcde3

SHA1
59117412e09de09c092745db12ca06ef7e91a114

SHA256
1df54beab0243d8d5b4727c08586a09bb40eb1c59522ae3d2af7601905752dfc

SHA512
6a9526719cbd7b95dfa44b9a13537ad9fadf88f25f2e5b1b26f7e9b31fc6e18c8b71f49719d61f2a85a784e28005da474efc30cce8e49f4f58adc57d623a4e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259594805.txt

Filesize
1KB

MD5
305828ba2eea2c80a194168fdaa6c7c3

SHA1
4eedd0518e6785790f25761af595448de02121f8

SHA256
49a8b0f6804d1b8651cea394aba24d9c14c40764637a6e63c5da9207b7f2d97f

SHA512
acee9ca8e05d785b0614143cf4df8c386f03da431ab9bccafd0360b0eb5c917957681ac1ff65d07cba3eaddbaf9fe590bbb7670ef84979302881c6f5f91e1776

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259607639.txt

Filesize
1KB

MD5
33633085c2c790c1780f165515e341c3

SHA1
cfa2417925a272bd7891d9f0b1856470c066fab9

SHA256
e7fb12db588aac4c7b245f8af7eaae667813eeb3f6f8ae12d76801695528da86

SHA512
e9604b37addbe9c1c8ea5793924bbbe95105af7c982d40f60c84720021e54301201a9aa9b7c22ab840b773e06c8088c98ec531aedcaa51e2bf57855c516f2302

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259620950.txt

Filesize
1KB

MD5
65bad45439d713bb8f941a3610a67fc7

SHA1
ac3c6f6e27e1c1c563c3d081934e1935c265d646

SHA256
6dd8435e707266945cb4fd3a7d627c81769c7f3b4ffc7ce1e0af854ae23df790

SHA512
33ef33279f086d194ffb1c8ede0e41da2141b9b14f1bd0cd8418cf7edfebbeab6d597def04e2548efe65d06ba13d8a9c87c68ab6fa68585e1ae61c2f31ef9b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259637861.txt

Filesize
1KB

MD5
bbfd723ab27da2448661ca484bdac4f7

SHA1
eb6beb5a94902f541de409584590af630a1dc91b

SHA256
1afcbbbf3f9a50bae296898a7909554c5f3278c9b46baf523af0c0294f1f3f85

SHA512
f628a7aa8ec188c3cdffddd5ec8530373a2ade9ce6f2aad9afc24928e68ee1125952344df344fb463a7b85a6174ea04b160c2420921af9ff732c3f2330961d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259656496.txt

Filesize
1KB

MD5
92812b60930b89f869bcaaae85aebdbd

SHA1
8d1b7e8f98682ce8523a47afe18eb54e1d967f0b

SHA256
03df8683b569e908cde384426c64d2e36d8cae6d066bc6f603c58f81672f89e9

SHA512
db8c3f30ffebff458b85f73d6d705da00a979c15bf03cc5f6853dc91cbdbf395610978035501c634684035a6d01f25bc53f5a8207444a68c5322240fa1609e18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
25b3a8eb438c09e88d89962d76665717

SHA1
ac32b0cc270c5e2f15da66bd3d28360c23c86e00

SHA256
aafd5e0ee7d41524d1beeebcd4176c72d77b8d53ed70fec53c110c05e4f28b61

SHA512
72c43294da4f23ec8ba947de1fd2628e80cdf97deec8743cbcb4c339954f104c304030ffcaab58a786f0012deaa9443ab6c9c8f2f17e6507d1568b2b10852bc3

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/1332-17-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/1332-16-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2728-7-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2728-6-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2728-8-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download