5edc00ae5ea6c8a2453bfaacf8b4cf6360027e1c066bd3c96dc4106af5c3b88f

Analysis

max time kernel
146s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2324	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2628	powershell.exe
2628	powershell.exe
1712	powershell.exe
1712	powershell.exe
2400	powershell.exe
2400	powershell.exe
2104	powershell.exe
2104	powershell.exe
3064	powershell.exe
3064	powershell.exe
3008	powershell.exe
3008	powershell.exe
1032	powershell.exe
1032	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2500	2844	taskeng.exe	31
PID 2844 wrote to memory of 2500	2844	taskeng.exe	31
PID 2844 wrote to memory of 2500	2844	taskeng.exe	31
PID 2500 wrote to memory of 2628	2500	WScript.exe	33
PID 2500 wrote to memory of 2628	2500	WScript.exe	33
PID 2500 wrote to memory of 2628	2500	WScript.exe	33
PID 2628 wrote to memory of 2536	2628	powershell.exe	35
PID 2628 wrote to memory of 2536	2628	powershell.exe	35
PID 2628 wrote to memory of 2536	2628	powershell.exe	35
PID 2500 wrote to memory of 1712	2500	WScript.exe	36
PID 2500 wrote to memory of 1712	2500	WScript.exe	36
PID 2500 wrote to memory of 1712	2500	WScript.exe	36
PID 1712 wrote to memory of 2280	1712	powershell.exe	38
PID 1712 wrote to memory of 2280	1712	powershell.exe	38
PID 1712 wrote to memory of 2280	1712	powershell.exe	38
PID 2500 wrote to memory of 2400	2500	WScript.exe	39
PID 2500 wrote to memory of 2400	2500	WScript.exe	39
PID 2500 wrote to memory of 2400	2500	WScript.exe	39
PID 2400 wrote to memory of 2256	2400	powershell.exe	41
PID 2400 wrote to memory of 2256	2400	powershell.exe	41
PID 2400 wrote to memory of 2256	2400	powershell.exe	41
PID 2500 wrote to memory of 2104	2500	WScript.exe	42
PID 2500 wrote to memory of 2104	2500	WScript.exe	42
PID 2500 wrote to memory of 2104	2500	WScript.exe	42
PID 2104 wrote to memory of 688	2104	powershell.exe	44
PID 2104 wrote to memory of 688	2104	powershell.exe	44
PID 2104 wrote to memory of 688	2104	powershell.exe	44
PID 2500 wrote to memory of 3064	2500	WScript.exe	45
PID 2500 wrote to memory of 3064	2500	WScript.exe	45
PID 2500 wrote to memory of 3064	2500	WScript.exe	45
PID 3064 wrote to memory of 1948	3064	powershell.exe	47
PID 3064 wrote to memory of 1948	3064	powershell.exe	47
PID 3064 wrote to memory of 1948	3064	powershell.exe	47
PID 2500 wrote to memory of 3008	2500	WScript.exe	48
PID 2500 wrote to memory of 3008	2500	WScript.exe	48
PID 2500 wrote to memory of 3008	2500	WScript.exe	48
PID 3008 wrote to memory of 2188	3008	powershell.exe	50
PID 3008 wrote to memory of 2188	3008	powershell.exe	50
PID 3008 wrote to memory of 2188	3008	powershell.exe	50
PID 2500 wrote to memory of 1032	2500	WScript.exe	51
PID 2500 wrote to memory of 1032	2500	WScript.exe	51
PID 2500 wrote to memory of 1032	2500	WScript.exe	51
PID 1032 wrote to memory of 2896	1032	powershell.exe	53
PID 1032 wrote to memory of 2896	1032	powershell.exe	53
PID 1032 wrote to memory of 2896	1032	powershell.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:2324

C:\Windows\system32\taskeng.exe
taskeng.exe {8BD25A1D-0E59-44A7-A192-DF9C59F7EE25} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2628" "1248"
      4⤵
      PID:2536
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1712" "1236"
      4⤵
      PID:2280
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2400" "1240"
      4⤵
      PID:2256
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2104" "1240"
      4⤵
      PID:688
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3064" "1240"
      4⤵
      PID:1948
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3008" "1244"
      4⤵
      PID:2188
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1032" "1232"
      4⤵
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259483768.txt

Filesize
1KB

MD5
f74fa3f9d3c01010105b6a2d0dfa4257

SHA1
b8cd04d8f0e657ce74da18ee3dd3f154d5abd969

SHA256
2ad5bc4a93e887383a90c47006af3d8f1c52f59a8b0cd18c5e7888f74a0d5f40

SHA512
e145d83d53f34fd54d55caa6bef7569b479327e33199c80e175b64c711b9fdbee663ab2fa037d789a9b7ac46a8c615d7fba00d61bfada33a85042451e82a0add

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496890.txt

Filesize
1KB

MD5
17521299d9adb0c2193dd73b7a68f711

SHA1
403e7ea04cb166114d0765e6d356609d77886a41

SHA256
1be5c8d3870e1c3ce41aeefdcf57e3b927fff2e02dfff1af9bdb44f429c21f21

SHA512
996bc21afcda02921c127435069f37be29a7598d9d33505a821a7a8de5bd96a825799c58c1a3329c8c1658fb106ebf140ef3877f471a4ee1314a62a3ce0cd00a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514058.txt

Filesize
1KB

MD5
fb82b5f4fb168f6ef3a2da1bc3f513ed

SHA1
00d95452ef35883a050c9369024144e3856d741e

SHA256
53fe195be8bf49d0b5f48a13fad5241726da65c7c9af77be83b85c7887251d14

SHA512
570cb75819b7e584d0d0912820815651982f762fb7bbb0b099c1a85e469aa9306361e280c3f9e1703e268a6facedb15c40d9aa8ec3e668d95da7a094cb2254c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259529499.txt

Filesize
1KB

MD5
61ab687ba9dfe1fd4e98f8ef3e7f880e

SHA1
289a969a0d925fd76983b9820f6b18392977ea02

SHA256
416157b0f267d13abeb9fbb496848675c4173cf996c6e98313a707f16f46211f

SHA512
2441f1fa4f11f5c792c07409e1e85ade530ee115881d17a17494360449f22f51ae8d39a339fd721aaa807f905a3aa520de2081c007c7ce2bf715f66188372d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540457.txt

Filesize
1KB

MD5
793c5de32f06143814412c39f1913f7e

SHA1
764ca14504c78cbb68a3fb560c077b4b7b6e3917

SHA256
96812ef8efd8f8b8189ce5422fc6c66ca4cb933fca04b23003043a50a2c763fe

SHA512
0b54ef77c59080ff32b1098acd2cd3edbc03e38bab3ffbe8df508b9119237f0380cf93a3ff3aaa8dd6e3b0739682af9505b2637d8b1807f486e62fbab8ad8b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259556011.txt

Filesize
1KB

MD5
2103a7eb3d44a7474e92da1891c0ec21

SHA1
2cdb60ee497fe3b067bbf735dc35a4c3f03ecf7e

SHA256
8eb9890e05d9bc62cf7fa186ebd5d5fb290d2f87c2aa91279c8bfb746f653737

SHA512
16ef052889d4ec4d261de82278898b3cd0ab4ff1a3c7efc1f4a80a45b723cfb296ef95c3c3403430018719962fc4c378753b30fdd376b50d43fe93511f504d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259571777.txt

Filesize
1KB

MD5
0047f7c04babbe51dbdc608ddc8ce35a

SHA1
7358c22a387c8958e92eddd3a5c6ccfbde70cf4c

SHA256
7b9e58967c8c8d1cbeb20206edc6a76571b72743f3054b50616575a6e2f1a75b

SHA512
a5dc8991046c0d46293aff294775a78b64dfb4ed05178512ae632d6f383ea28b0eccc6dda7d54c55aef878b19885e7646e63523b69ada7b165622caba448b7fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2b0961f2d4beead10235f13b1232a9be

SHA1
63831d8ee24dc5a0b50652d8a5935ea3ff452a06

SHA256
25322010eb4066d741bf0553751d76da8fb6f1d6acf2e7b517da25b4815d926c

SHA512
99ac4aecbba5c32c9ab4b5326a52e46033389589d64384bc74b670fc3a4f22b555b9525fa4acd7a49f91381336bb12433b64e36c79a7236c58f4fa056dbc27ad

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/1712-16-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1712-17-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2628-8-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/2628-7-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2628-6-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download