1a8d599848e922f122bf3ab673b87369f05eb2746d0b6b0833aefb137341d58b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documt736098.vbe
Size

9KB
MD5

8113e63e2ba4ac63a4621b2d9441524d
SHA1

05b433f2cfb14f9d1ec947e32a496c45a2cfa22a
SHA256

d5d3a7f4ca9b374465da72f550cc5a04e751c6a4ed18ab917a304318a9b4409b
SHA512

730e21b73e6320146c53dd9092246578a476b24efb6dbcd902e905df05039274cd2adf76293e54e1d9a3cb01e88d3800db867597bbffd979ecfea5729d4d62d9
SSDEEP

192:egjmLPbnOqiR2jutyT8vPka6hfuIMynp9KAvPxK:tjcPbg2+yT8HkaTTqp0AvQ

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2012	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2984	powershell.exe
2984	powershell.exe
2732	powershell.exe
2732	powershell.exe
984	powershell.exe
984	powershell.exe
2176	powershell.exe
2176	powershell.exe
2124	powershell.exe
2124	powershell.exe
1980	powershell.exe
1980	powershell.exe
1928	powershell.exe
1928	powershell.exe
1704	powershell.exe
1704	powershell.exe
2844	powershell.exe
2844	powershell.exe
2948	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 264	2796	taskeng.exe	32
PID 2796 wrote to memory of 264	2796	taskeng.exe	32
PID 2796 wrote to memory of 264	2796	taskeng.exe	32
PID 264 wrote to memory of 2984	264	WScript.exe	34
PID 264 wrote to memory of 2984	264	WScript.exe	34
PID 264 wrote to memory of 2984	264	WScript.exe	34
PID 2984 wrote to memory of 2840	2984	powershell.exe	36
PID 2984 wrote to memory of 2840	2984	powershell.exe	36
PID 2984 wrote to memory of 2840	2984	powershell.exe	36
PID 264 wrote to memory of 2732	264	WScript.exe	37
PID 264 wrote to memory of 2732	264	WScript.exe	37
PID 264 wrote to memory of 2732	264	WScript.exe	37
PID 2732 wrote to memory of 2900	2732	powershell.exe	39
PID 2732 wrote to memory of 2900	2732	powershell.exe	39
PID 2732 wrote to memory of 2900	2732	powershell.exe	39
PID 264 wrote to memory of 984	264	WScript.exe	40
PID 264 wrote to memory of 984	264	WScript.exe	40
PID 264 wrote to memory of 984	264	WScript.exe	40
PID 984 wrote to memory of 1592	984	powershell.exe	42
PID 984 wrote to memory of 1592	984	powershell.exe	42
PID 984 wrote to memory of 1592	984	powershell.exe	42
PID 264 wrote to memory of 2176	264	WScript.exe	43
PID 264 wrote to memory of 2176	264	WScript.exe	43
PID 264 wrote to memory of 2176	264	WScript.exe	43
PID 2176 wrote to memory of 2292	2176	powershell.exe	45
PID 2176 wrote to memory of 2292	2176	powershell.exe	45
PID 2176 wrote to memory of 2292	2176	powershell.exe	45
PID 264 wrote to memory of 2124	264	WScript.exe	46
PID 264 wrote to memory of 2124	264	WScript.exe	46
PID 264 wrote to memory of 2124	264	WScript.exe	46
PID 2124 wrote to memory of 1068	2124	powershell.exe	48
PID 2124 wrote to memory of 1068	2124	powershell.exe	48
PID 2124 wrote to memory of 1068	2124	powershell.exe	48
PID 264 wrote to memory of 1980	264	WScript.exe	49
PID 264 wrote to memory of 1980	264	WScript.exe	49
PID 264 wrote to memory of 1980	264	WScript.exe	49
PID 1980 wrote to memory of 2392	1980	powershell.exe	51
PID 1980 wrote to memory of 2392	1980	powershell.exe	51
PID 1980 wrote to memory of 2392	1980	powershell.exe	51
PID 264 wrote to memory of 1928	264	WScript.exe	52
PID 264 wrote to memory of 1928	264	WScript.exe	52
PID 264 wrote to memory of 1928	264	WScript.exe	52
PID 1928 wrote to memory of 2524	1928	powershell.exe	54
PID 1928 wrote to memory of 2524	1928	powershell.exe	54
PID 1928 wrote to memory of 2524	1928	powershell.exe	54
PID 264 wrote to memory of 1704	264	WScript.exe	55
PID 264 wrote to memory of 1704	264	WScript.exe	55
PID 264 wrote to memory of 1704	264	WScript.exe	55
PID 1704 wrote to memory of 1424	1704	powershell.exe	57
PID 1704 wrote to memory of 1424	1704	powershell.exe	57
PID 1704 wrote to memory of 1424	1704	powershell.exe	57
PID 264 wrote to memory of 2844	264	WScript.exe	58
PID 264 wrote to memory of 2844	264	WScript.exe	58
PID 264 wrote to memory of 2844	264	WScript.exe	58
PID 2844 wrote to memory of 1488	2844	powershell.exe	60
PID 2844 wrote to memory of 1488	2844	powershell.exe	60
PID 2844 wrote to memory of 1488	2844	powershell.exe	60
PID 264 wrote to memory of 2948	264	WScript.exe	61
PID 264 wrote to memory of 2948	264	WScript.exe	61
PID 264 wrote to memory of 2948	264	WScript.exe	61
PID 2948 wrote to memory of 2932	2948	powershell.exe	63
PID 2948 wrote to memory of 2932	2948	powershell.exe	63
PID 2948 wrote to memory of 2932	2948	powershell.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Documt736098.vbe"
1⤵
- Blocklisted process makes network request
PID:2012

C:\Windows\system32\taskeng.exe
taskeng.exe {ABC760ED-A9AF-4D62-AA66-A932F530F761} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2984" "1232"
      4⤵
      PID:2840
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2732" "1240"
      4⤵
      PID:2900
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "984" "1240"
      4⤵
      PID:1592
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2176" "1240"
      4⤵
      PID:2292
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2124" "1232"
      4⤵
      PID:1068
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1980" "1236"
      4⤵
      PID:2392
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1928" "1240"
      4⤵
      PID:2524
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1704" "1244"
      4⤵
      PID:1424
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2844" "1236"
      4⤵
      PID:1488
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2948" "1240"
      4⤵
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259451717.txt

Filesize
1KB

MD5
1039529ff2703153cd3c6405a8c424dd

SHA1
2f2ee515203e8e86542495711913f83bcef6a37f

SHA256
f3616eb314b289919f9f706f8216277799a202458b34867dd970086c7c9b67e9

SHA512
db72a259824b80ce9e571670ad82e222ff1f87217546fe6de57eccc13f7759528181769f6ba64cc8d7cd13804f4658b2555b957253cca976bcaee5dd1fe2b0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259461408.txt

Filesize
1KB

MD5
28cb8f088a757333f607465940bc874f

SHA1
5b40566029447a012b74e0c75d2689428282904f

SHA256
53cfa180e2658550e76f23bbcc36a6135ba2e37b2cb1a1c1d5a84b970153dfc2

SHA512
74b1a3ef1e0a24535d9b88d70bb268c33a5438906da70ad7f5be9cd6f3bbebc8ce7f1ed03b5e254d6c5754c7957bd5a59681702fdf9a835ca0b71072aaba1905

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259479076.txt

Filesize
1KB

MD5
922277e9aa25c961de33abbad56412c1

SHA1
45570a9a0fa6429d7bc1b0ebaf7627480552ce68

SHA256
9bb40ddb088cf6fd2b647f6481a99dc09f70c06cc4347b0823a64d733ade23ae

SHA512
2b59e1c4a3ba96da2b2c4aa0e0ce5b11ee6a48c750dd7c8404fc4c7ecd8e41f7e54f0a9ca4ca6f16b86267b21c319d0240436957ce0b37a629ebefdcc22b0ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496376.txt

Filesize
1KB

MD5
b4092befe150eed86c6da51fc7f6d164

SHA1
bee0a540ef6cdc636ae52aa662412e640a04c834

SHA256
4283c9cb28980b3a480694d08ba3f795336f760db2e7ceed708db326d198da59

SHA512
3582255079c887b6b6f2b34f20b66564472d561d5d3515bde31f157812d2ff03f2f109429d0f806de84d2c1d7601f21821fdf52eecb438b8d14f59b1bd9ac2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259507305.txt

Filesize
1KB

MD5
9fbb26577b54e64c9b72ae565d174f65

SHA1
c2f3bf28523f5c34c248401b7c169b4b61f55848

SHA256
47eba118ae88f607005a83613eab20f2b9cbf6ed6c7aa871abcb3d57c3444797

SHA512
66b2ffcc2ab1c34568ecfb3f97498243c1be76061ac264d54b70514c285d10f1dbf5575524cc8bcc465b863def064b2a3b577cf05c70825165687ae0152272cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259522797.txt

Filesize
1KB

MD5
ac3df18243ccdca9386e83bdc42b5283

SHA1
a9e0508374f501043288156ba7bd13fbc63b8a74

SHA256
aa42bce23317e63ac27119ac70195b299cb7641395b17941e94bc4fa21ebe9e7

SHA512
ad9ff31c56f17fb91020314954c06276cfc54506f7e6f31f6b7e5e8f7448177686a0205102753cdf13b87a5485467dfdf70cbcd016a79326409d108aa72c0a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259540244.txt

Filesize
1KB

MD5
0ddd1af2d58a32e2583a4037f8d5f27b

SHA1
55be9eaac352298927fc2be97ba9ac3fb29561b8

SHA256
70ed340053b5f459d30f0b7f4ceb6788c6f4763f68fa3a66e1d52111dffb5903

SHA512
623f7af70d84834537e264971d04be6e5ff4eadd8927db08bff86c28e248ffc9fc6e15a67dfffb8309d7bcfc56d0aa19058e363df5a08ccde7ada672b3f91672

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259554097.txt

Filesize
1KB

MD5
ed3773b28e4746299bb75708d2636061

SHA1
821cc3e4dc2824aa0670c9dcf1c0b9bc0e5f4bd2

SHA256
204c86e24019e4aa2c413f7af0cb13631468740ab85b59bdf01075cccd3b37a3

SHA512
292a2fd87ed21995e2e361c9f84d33f3ce5a12efb9fc16e25a67bec68e6425602da47cdf9953c8922095ff739befac6d78cd666cfb21f6c40090a7bfbf40351a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259568420.txt

Filesize
1KB

MD5
d3b4b064da957ee51d85b399dc6e111b

SHA1
887f19708399f4345b9da14cf6d6a0d94a398da9

SHA256
e2a45c9bebbcdec49b55862dcdb35544db2e499f91de887f16fdcbab0265c9eb

SHA512
2b126d272051428b9645d4331b74bac639d3d735f0b58583a6db98ea37d5670be3b249455f846400a3ac79251e28479b45d61869cffdb207656c88495f95ba92

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259586102.txt

Filesize
1KB

MD5
0d922425e47858b48bf7c371cb933b50

SHA1
e40441497feb954bb947823fe13adb9b08ffcd38

SHA256
5702a1f411cb753882e59a40c0498a038667882204249fb57595fe6eb990e065

SHA512
ee1473ae079691d72c6b705fa3cb27778faf57615542f14851ddac7479d33d5b574af695199baab26d02a41ea9a0dfb98b2fbb5d4bab951098d2fc92d274534c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\58UU4G3OMYQKS80LUEAM.temp

Filesize
7KB

MD5
330e79d304bf86f45f66781fd7b080e9

SHA1
b750a8dd8101ddbe99a4bb82e8125b7850d2c0fd

SHA256
5aae282c15f296788c7d0bfc63e4e2e9d137e6c074dcf97e278471780e329dda

SHA512
d4444df72401540910722caca7511726ddc5f2a2be8b562edd6062d49b64926dd6fd372302929cc356188013792a10d5ebc10b92add7ff0112f4ec9f9ff7fdf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5e13fdd3cc9000cb4851aa3e80d4fe09

SHA1
7c91d7d9eef3deaae171ff809c5e281cdd7005a2

SHA256
3fff311c29472e55fe5b47397bf2198c7607fa0d13fd69815a4a3c62c857b4e6

SHA512
5229391d1ee763698efd5286e3e9c79214447474c90803cc8c87cc213ff4c244dc9477a0747fc293ff902d29ba69180ace50afd9380f6972402e6c7e0f75057b

Download Submit
C:\Users\Admin\AppData\Roaming\TJtBPNdaqSLLBQi.vbs

Filesize
2KB

MD5
78fdde7d507d9d64ddd3808c52231caa

SHA1
cd989a13a2f92c404ddd56f9b9126e529b091f74

SHA256
0c26896cb8ca3eaa7e009abac4eff302f5a8fd312f987a2d802bdf4d67c0fd0a

SHA512
d77b609a544ee038e2673201d756b2a8f486a288ca0df10d1161f1516982405a7ed075c84b16d4f3ff1bde7a8ee21797e51df6e576e7ea0b85ae9835f534321a

Download Submit
memory/2732-18-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2732-17-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-6-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2984-7-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/2984-8-0x0000000002A50000-0x0000000002A58000-memory.dmp

Filesize
32KB

Download