5edc00ae5ea6c8a2453bfaacf8b4cf6360027e1c066bd3c96dc4106af5c3b88f

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/01/2025, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2708	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1476	powershell.exe
1476	powershell.exe
2952	powershell.exe
2952	powershell.exe
2928	powershell.exe
2928	powershell.exe
2160	powershell.exe
2160	powershell.exe
668	powershell.exe
668	powershell.exe
2360	powershell.exe
2360	powershell.exe
876	powershell.exe
876	powershell.exe
2900	powershell.exe
2900	powershell.exe
2328	powershell.exe
2328	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2608	2644	taskeng.exe	32
PID 2644 wrote to memory of 2608	2644	taskeng.exe	32
PID 2644 wrote to memory of 2608	2644	taskeng.exe	32
PID 2608 wrote to memory of 1476	2608	WScript.exe	34
PID 2608 wrote to memory of 1476	2608	WScript.exe	34
PID 2608 wrote to memory of 1476	2608	WScript.exe	34
PID 1476 wrote to memory of 2524	1476	powershell.exe	36
PID 1476 wrote to memory of 2524	1476	powershell.exe	36
PID 1476 wrote to memory of 2524	1476	powershell.exe	36
PID 2608 wrote to memory of 2952	2608	WScript.exe	37
PID 2608 wrote to memory of 2952	2608	WScript.exe	37
PID 2608 wrote to memory of 2952	2608	WScript.exe	37
PID 2952 wrote to memory of 2696	2952	powershell.exe	39
PID 2952 wrote to memory of 2696	2952	powershell.exe	39
PID 2952 wrote to memory of 2696	2952	powershell.exe	39
PID 2608 wrote to memory of 2928	2608	WScript.exe	40
PID 2608 wrote to memory of 2928	2608	WScript.exe	40
PID 2608 wrote to memory of 2928	2608	WScript.exe	40
PID 2928 wrote to memory of 748	2928	powershell.exe	42
PID 2928 wrote to memory of 748	2928	powershell.exe	42
PID 2928 wrote to memory of 748	2928	powershell.exe	42
PID 2608 wrote to memory of 2160	2608	WScript.exe	43
PID 2608 wrote to memory of 2160	2608	WScript.exe	43
PID 2608 wrote to memory of 2160	2608	WScript.exe	43
PID 2160 wrote to memory of 852	2160	powershell.exe	45
PID 2160 wrote to memory of 852	2160	powershell.exe	45
PID 2160 wrote to memory of 852	2160	powershell.exe	45
PID 2608 wrote to memory of 668	2608	WScript.exe	46
PID 2608 wrote to memory of 668	2608	WScript.exe	46
PID 2608 wrote to memory of 668	2608	WScript.exe	46
PID 668 wrote to memory of 1668	668	powershell.exe	48
PID 668 wrote to memory of 1668	668	powershell.exe	48
PID 668 wrote to memory of 1668	668	powershell.exe	48
PID 2608 wrote to memory of 2360	2608	WScript.exe	49
PID 2608 wrote to memory of 2360	2608	WScript.exe	49
PID 2608 wrote to memory of 2360	2608	WScript.exe	49
PID 2360 wrote to memory of 3044	2360	powershell.exe	51
PID 2360 wrote to memory of 3044	2360	powershell.exe	51
PID 2360 wrote to memory of 3044	2360	powershell.exe	51
PID 2608 wrote to memory of 876	2608	WScript.exe	52
PID 2608 wrote to memory of 876	2608	WScript.exe	52
PID 2608 wrote to memory of 876	2608	WScript.exe	52
PID 876 wrote to memory of 2804	876	powershell.exe	54
PID 876 wrote to memory of 2804	876	powershell.exe	54
PID 876 wrote to memory of 2804	876	powershell.exe	54
PID 2608 wrote to memory of 2900	2608	WScript.exe	55
PID 2608 wrote to memory of 2900	2608	WScript.exe	55
PID 2608 wrote to memory of 2900	2608	WScript.exe	55
PID 2900 wrote to memory of 2100	2900	powershell.exe	57
PID 2900 wrote to memory of 2100	2900	powershell.exe	57
PID 2900 wrote to memory of 2100	2900	powershell.exe	57
PID 2608 wrote to memory of 2328	2608	WScript.exe	58
PID 2608 wrote to memory of 2328	2608	WScript.exe	58
PID 2608 wrote to memory of 2328	2608	WScript.exe	58
PID 2328 wrote to memory of 2488	2328	powershell.exe	60
PID 2328 wrote to memory of 2488	2328	powershell.exe	60
PID 2328 wrote to memory of 2488	2328	powershell.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:2708

C:\Windows\system32\taskeng.exe
taskeng.exe {AF06632F-CECA-4F35-A565-7BE58F2DD261} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1476" "1364"
      4⤵
      PID:2524
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2952" "1240"
      4⤵
      PID:2696
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2928" "1240"
      4⤵
      PID:748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2160" "1248"
      4⤵
      PID:852
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "668" "1228"
      4⤵
      PID:1668
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2360" "1244"
      4⤵
      PID:3044
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "876" "1236"
      4⤵
      PID:2804
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2900" "1244"
      4⤵
      PID:2100
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2328" "1240"
      4⤵
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259450479.txt

Filesize
1KB

MD5
37645d74266fa8abe1db566d856d46dd

SHA1
d2260807a6a81cb5969eb1776ae5a29e9809fd6f

SHA256
e957d92e863677944866059ad5d65b6f07dcea4ae7bc75766a671a13944d4c51

SHA512
9f5f406713e3fdeade9e4ef704947e19bce020cb75972d116e1fc282608bff73f3f17cf397bc7b15f70156dce6ee249678dfb78f9166679e5bf62f6896e225ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259462185.txt

Filesize
1KB

MD5
328e9f1901353c442ea7f176b3e290fb

SHA1
23b3074d863298d2348ec13c97b583b60f529f0c

SHA256
ceb47f7ea4c78114553ff6d176a2bf6baa53fc17adf441cd9e619bade30fc61d

SHA512
03cf6b7c6851f9f352776ba900a46e1d5e2f4e3d2c05340f5a9bd9929670092a2d01d236f6361d44c5afcc987fee1f7d417c21c4600235d6bb5a4765684fff26

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259477841.txt

Filesize
1KB

MD5
e5c9b71b557e5aef2d969b16e3fb380e

SHA1
c0d246f05d1e777179936b7b5cdaed95ab974514

SHA256
698edfcc8e05942a9206c1917b7ae82870c425f08fe5e949a46eb9783ad066f7

SHA512
9693c40b0b1b44b063b62ecd46ff7398d97f2f2c6e250b944ba8ac70711a6d8bac4cbe449bd7ae3ad1e95dac5db54881b65c41e9b07e92d983d09237d5b66c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259497277.txt

Filesize
1KB

MD5
78fbfdaeca7b7113f359f696ae2a12dc

SHA1
d257e54ec3866160aac126ca7351307518613915

SHA256
5fb50ebf951e069dbe8fb8705a18fdc6e4cfd8884884f4121aeb58c6b10069fd

SHA512
dcdac84fe1de5dbaf000673a704074fa7f8679188ea8df9f97a234d1b18ea0ca433937f2a1acbaf607d6adc12c93cd26fec9270051495324db813d7296d22f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259510981.txt

Filesize
1KB

MD5
8d7a516b6a6a8ed53d37e4d63e820851

SHA1
f4d7bb76fa013fbf8f5854b8e8f101c9614fea6e

SHA256
039c364ba15817029e0afcd3309e2740e556908c26e2bc21d11ddd9359cf9d50

SHA512
3c8301ab9212e33153ab4e9a29960c4a7f59320195245c8e18e540e91a2d6e5c7dad45383ace909e1d6cb46940503b83bdbce59d16c4ee5bf0435381c3841723

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523307.txt

Filesize
1KB

MD5
999b10c0c4ecaf2e9890267ae57cf62f

SHA1
afa65657fe9380bfd9f8dd1100e37bfbb030c093

SHA256
e99be4a3a739ebd7568a938117056ae7afa04b267801a2404f15952c842a0dac

SHA512
a0a5527944b0e16ff64f2276e113ba4aae234e957b7afae866d2fc3fe2049b4a9721ffe8f751a5c27953b18d254a752cbceaaa33a7ecfb384d0155221311f0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540066.txt

Filesize
1KB

MD5
55c9e2e8e8d4e6ae8a4d14c3b6ead0a7

SHA1
dd01697fb3e6c50ca0666616d4ec996f0ac8fca8

SHA256
b8f0f2b1fb9eec9f938272a1b3ea5ed3b1eaa995e0764f0fe92dcaaba690ae92

SHA512
882d36068a51d4d6bc3c4a0e9dd4ee236df3826e603bf5656c4d0438d933e140f3533a2bafe87e3f30889c2f9727fe2bfb3875cc59d59cdb77ca9ad72aea0b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259557836.txt

Filesize
1KB

MD5
357448a36153192914604b56d5a74d95

SHA1
dc76ba2490c3ffcb0ea96854d34dc02c73d6cbf2

SHA256
b24cba01c6e8943d8e63c3c29a56dba4220f89e9c0ec48b4848b48d26a963f61

SHA512
841fbbcb93e60c8a98fd77e0f09ba61b83df900e76920966fece7d85c1b86debfb89e21f72aba7b4d1baa3d811bea9394e95a18062448535a2ee735277189a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259568874.txt

Filesize
1KB

MD5
2f40c62012602593236adb7f4e0dbf21

SHA1
c7805f1c808626395137c715418195a7b6e2e43e

SHA256
a498f910bfc4a9bcf9eac6625f500297312676b6b01fd63dff4a20ba1dcb003f

SHA512
3adbd45d0b94f6bd2bc6a90b3c561ee975f0fd7c8a1d5ad962956cded0deeed0aa8e8a3e8bec1e9aad4dc970ca4824259d97d1e2af18ee09939cd2d686e80d96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b7e68e39240d7d1b48fb74e4e09724b

SHA1
dcabe74f99dc8a421eeac5c8a19788cb476f9d2d

SHA256
9e97742fa4afb7676aedb7d37b14a8ea93ae46289ff546163930b18aca2fc6d5

SHA512
5e37e6aaa582edd702cd24874454e286256f2bd29c712c427f4cf75983d78884ed0b19438e8052a2502b15952318c7dbfdf3c9e8f4eb4255e5322c53efb4c098

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LGLW92RXWHBPOEN25QM4.temp

Filesize
7KB

MD5
94a0367185aa385d44488b46c593d785

SHA1
457175c6d7b8d8cb2770459efd92f2216c53faf6

SHA256
25740a5372fecea327f66ede6491f387b15becd8541dfd933772581718a1b5e9

SHA512
2fd91d5f9793c6017650759daf7c4b95ba185d8e0f0fd6f3b42ced46dd3c08c046c3b2bca8d4c4feffe910e727482e4eb9e9b8477bfe4e2bba8c9fd7c4208478

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/1476-7-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1476-6-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2952-17-0x0000000002060000-0x0000000002068000-memory.dmp

Filesize
32KB

Download
memory/2952-16-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2952-15-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download