d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b

Analysis

max time kernel
138s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2684	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2196	powershell.exe
2196	powershell.exe
2624	powershell.exe
2624	powershell.exe
3024	powershell.exe
3024	powershell.exe
1868	powershell.exe
1868	powershell.exe
2304	powershell.exe
2304	powershell.exe
1040	powershell.exe
1040	powershell.exe
1532	powershell.exe
1532	powershell.exe
692	powershell.exe
692	powershell.exe
1440	powershell.exe
1440	powershell.exe
2232	powershell.exe
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1484	2520	taskeng.exe	32
PID 2520 wrote to memory of 1484	2520	taskeng.exe	32
PID 2520 wrote to memory of 1484	2520	taskeng.exe	32
PID 1484 wrote to memory of 2196	1484	WScript.exe	34
PID 1484 wrote to memory of 2196	1484	WScript.exe	34
PID 1484 wrote to memory of 2196	1484	WScript.exe	34
PID 2196 wrote to memory of 2628	2196	powershell.exe	36
PID 2196 wrote to memory of 2628	2196	powershell.exe	36
PID 2196 wrote to memory of 2628	2196	powershell.exe	36
PID 1484 wrote to memory of 2624	1484	WScript.exe	37
PID 1484 wrote to memory of 2624	1484	WScript.exe	37
PID 1484 wrote to memory of 2624	1484	WScript.exe	37
PID 2624 wrote to memory of 1560	2624	powershell.exe	39
PID 2624 wrote to memory of 1560	2624	powershell.exe	39
PID 2624 wrote to memory of 1560	2624	powershell.exe	39
PID 1484 wrote to memory of 3024	1484	WScript.exe	40
PID 1484 wrote to memory of 3024	1484	WScript.exe	40
PID 1484 wrote to memory of 3024	1484	WScript.exe	40
PID 3024 wrote to memory of 1268	3024	powershell.exe	42
PID 3024 wrote to memory of 1268	3024	powershell.exe	42
PID 3024 wrote to memory of 1268	3024	powershell.exe	42
PID 1484 wrote to memory of 1868	1484	WScript.exe	43
PID 1484 wrote to memory of 1868	1484	WScript.exe	43
PID 1484 wrote to memory of 1868	1484	WScript.exe	43
PID 1868 wrote to memory of 3004	1868	powershell.exe	45
PID 1868 wrote to memory of 3004	1868	powershell.exe	45
PID 1868 wrote to memory of 3004	1868	powershell.exe	45
PID 1484 wrote to memory of 2304	1484	WScript.exe	46
PID 1484 wrote to memory of 2304	1484	WScript.exe	46
PID 1484 wrote to memory of 2304	1484	WScript.exe	46
PID 2304 wrote to memory of 1052	2304	powershell.exe	48
PID 2304 wrote to memory of 1052	2304	powershell.exe	48
PID 2304 wrote to memory of 1052	2304	powershell.exe	48
PID 1484 wrote to memory of 1040	1484	WScript.exe	49
PID 1484 wrote to memory of 1040	1484	WScript.exe	49
PID 1484 wrote to memory of 1040	1484	WScript.exe	49
PID 1040 wrote to memory of 1676	1040	powershell.exe	51
PID 1040 wrote to memory of 1676	1040	powershell.exe	51
PID 1040 wrote to memory of 1676	1040	powershell.exe	51
PID 1484 wrote to memory of 1532	1484	WScript.exe	52
PID 1484 wrote to memory of 1532	1484	WScript.exe	52
PID 1484 wrote to memory of 1532	1484	WScript.exe	52
PID 1532 wrote to memory of 2476	1532	powershell.exe	54
PID 1532 wrote to memory of 2476	1532	powershell.exe	54
PID 1532 wrote to memory of 2476	1532	powershell.exe	54
PID 1484 wrote to memory of 692	1484	WScript.exe	55
PID 1484 wrote to memory of 692	1484	WScript.exe	55
PID 1484 wrote to memory of 692	1484	WScript.exe	55
PID 692 wrote to memory of 2292	692	powershell.exe	57
PID 692 wrote to memory of 2292	692	powershell.exe	57
PID 692 wrote to memory of 2292	692	powershell.exe	57
PID 1484 wrote to memory of 1440	1484	WScript.exe	58
PID 1484 wrote to memory of 1440	1484	WScript.exe	58
PID 1484 wrote to memory of 1440	1484	WScript.exe	58
PID 1440 wrote to memory of 2740	1440	powershell.exe	60
PID 1440 wrote to memory of 2740	1440	powershell.exe	60
PID 1440 wrote to memory of 2740	1440	powershell.exe	60
PID 1484 wrote to memory of 2232	1484	WScript.exe	61
PID 1484 wrote to memory of 2232	1484	WScript.exe	61
PID 1484 wrote to memory of 2232	1484	WScript.exe	61
PID 2232 wrote to memory of 2564	2232	powershell.exe	63
PID 2232 wrote to memory of 2564	2232	powershell.exe	63
PID 2232 wrote to memory of 2564	2232	powershell.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:2684

C:\Windows\system32\taskeng.exe
taskeng.exe {59853046-D464-4534-B872-864C3129B557} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2196" "1240"
      4⤵
      PID:2628
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2624" "1232"
      4⤵
      PID:1560
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3024" "1232"
      4⤵
      PID:1268
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1868" "1236"
      4⤵
      PID:3004
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2304" "1244"
      4⤵
      PID:1052
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1040" "1240"
      4⤵
      PID:1676
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1532" "1236"
      4⤵
      PID:2476
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "692" "1240"
      4⤵
      PID:2292
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1440" "1232"
      4⤵
      PID:2740
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2232" "1228"
      4⤵
      PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259448549.txt

Filesize
1KB

MD5
2664b0fd4e213ecfbe4714fe382d8789

SHA1
c7c155dbaeac4d84388ddb71966773284df9a06d

SHA256
6a25978225aca29857feecf6c15a75ceb6c1b66fd26f2b79c169e8e5e6be7cc0

SHA512
2d800dc3cf266fd8831ad472e6f28cda52cc1b2673c7d30842e77f88e197b01dd9e2fafb782689adbbb4dda2191f6d78cd5774158e34ae0fde0cfd0d47a07341

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259463686.txt

Filesize
1KB

MD5
64f49ab0be4912b2e10bd83d572cab36

SHA1
f3ccf428173cdedd21fe10d15ec65e8d6c104f66

SHA256
8a8503c9dd3cd70e57a124c3355c20a01239a0a6e2a54a74323059791458177c

SHA512
7f10366b0cfd1e8c4e04a7a6df079aa0d42b123593c8ffbe9d7d1589ba173ec5f52919df0d61069b8327738e61ca2e16439a0ca0ba485bfa0a0947f8244b2aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259473670.txt

Filesize
1KB

MD5
d9049ac4515e7d2408c2073e4bdd4a62

SHA1
331ab5150a4fb707b860a9bc2ba516dbba860c58

SHA256
3ebad91071b9c24f64f91bf420d5abd5298cea05525c9469e0ccbdf3259e46d5

SHA512
9a68b1448a5aa1750896af863fc961e7ec1761ef5e0126ac220e0d4772a749aa79e1adf8739d30670fcc8622debe2b10d495e964edb004e887dcf9a2fb68d1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259490478.txt

Filesize
1KB

MD5
df23f7c655ca3cad4ec1ff61bed203a5

SHA1
652690eb6bca3785faeae08e28e7edb0ff7cb650

SHA256
fc151b8270593eb02d7bc82cea2ba2b9f03bcf0743efa7017a5fae17c67dfd16

SHA512
bbf7d2aa0439003b14df6dc27d18fa4822ae9e405a4e69da2e06fabacd5ff35e3a04174bcae08143ece44e81a12ff574ead9d9b196122d50d56fd24f1d262905

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259508316.txt

Filesize
1KB

MD5
99bc8fb7b5781f7bf327c9972ac8ccc6

SHA1
e8d58f70a77ef30729504453ef634ca7a7cc0588

SHA256
d3c124c80eb8a9612a925b0d47b26167290584ea79e28a91d1bdb00cae54d975

SHA512
ec7a1b6a16d1b69f2e343d10533a2654f5bb31a0e2dfaf5d297612d5737e19328e4c416366453a6b0000865910e209b707d5a0e8a9d0da79fc72e6be279ddfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259520664.txt

Filesize
1KB

MD5
e1c6430c2491d0256a9d23a689eb63a2

SHA1
520bd286d4d8675c61c2903b3f0cc7575a666ad9

SHA256
7ad24136cf6c5c1742438c12695140d95922a5fc6b42fd00887012313455d83e

SHA512
28a15415e203274e215127faa5b38e89315d7f46019032a4aea5e23c185423998836226caa6a2a25f89a757560523b628d0d20ee8757e3e8a2e5416b4a248ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259535579.txt

Filesize
1KB

MD5
c0504f5c3dbb12a154d1792d83afe4c7

SHA1
681a465157c4099c48f995602ec9e469d1c69c1e

SHA256
fdc8933a1c5925cc91b42fb8a306dc090c987df5fe058cf7d6fd36667ab4d95a

SHA512
d153d5e0d6f902f046628376af864807bc333acca6895795d6e54fd20eff61b5e25c71c43ec849e07c1e329f472c60d71ed5f61a22521d3dccbe08b32afec153

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259551253.txt

Filesize
1KB

MD5
2d67904462de3fbf539bffc17d572213

SHA1
3fa734b24309ee0bde6d61c24bdcbf6c1f97c0b2

SHA256
4d3a4a5d5887c3f6b33f2c0cf959793deca5756c63495b2335397b29982d07ba

SHA512
67023bdc4fdc70d812251b6c79ad7f16386be7aec6be28b998ae5e43e919095795d34a5f8f51a13ce676a5b3bf4cf62ba5591fb6d4dd273782c2f661f7110eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259565676.txt

Filesize
1KB

MD5
7520e916c96f7c2614cfd9524f62027f

SHA1
4d4eb0048e863789e9960dcc45d8453dee9606d7

SHA256
eab4b7ccc5408e31573c594c954e54d847c6b32a3c0c79199d42df8f5881064d

SHA512
cbf089804861ceb3e186de110ff5d84836f0dc0f72d924510d3b47d578443748c30790ba9f9d8eaea3e7bcb8665204bea3acd483455ade1a523d37de2c09ad18

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259579938.txt

Filesize
1KB

MD5
f75932d11cdc4b9e6acecbd7fa35ee19

SHA1
292b54b6986257ad486a6b5b7afe1ae6d6181354

SHA256
82a4e16be552e9d6fe4e371771d5494f3491f9bed4677250375bbced43f10721

SHA512
7d6a35272063a104ab4b3d9e8ef6e1bf211ab264bc91ab0574b9f8a058371675596793db20104ff8edb146184ce5dd78c2449657cb8787fbd8226625adf2c9d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3867223a96c9893cc9229d605ebb9cb5

SHA1
97279f9623106e5489d2b9640dde01a998621625

SHA256
7c3aeb044859792ac89a779747acbdc2ba6c586f4f5679211130b69c1e7c14dc

SHA512
a00b03689ac2d0e073b8e8a49d91cc9c84041167bc1ba285968e349f01c5a0a5ae3f01f96c06f2ab6d99e3555357d643aa6cf635a641ad4cfc5722b4c31a9f79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJP1SDOPMVFHF0TYA6RR.temp

Filesize
7KB

MD5
3dbe7c15ea7ad2c4cf0a9b14e86e628c

SHA1
b2589f332d28caf83871d746ba638f59d2b64bd1

SHA256
a13a20975d7789755d8758c29ca4443dcc29237174e2d897c64788c734d49bd3

SHA512
f51e58be77ea355d9834a300d90aa6175fa0ad71f946bf24c26890d905079b8816992940f205e5c27a9a1a80fa9262ba9a93956017e4b8c0b4dcd902a486872e

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/2196-6-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2196-7-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download
memory/2196-8-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2624-18-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2624-17-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download