47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-01-2025 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de.vbs
Size

17KB
MD5

a7c2edb4d802f4195a1370be0063422b
SHA1

30c32d08e7ca9dd1fe3cede09700947530c53ee2
SHA256

47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de
SHA512

069ba00e62335b61550dca3c37422e054f5fb17cde5d7d8b999c2abcdbd8ea193daab3660afb2cf621ad2db43ea6c85f82cb69fe62dfe3f658d678048df5fafe
SSDEEP

384:bZEeqBbbhht0F0o9BHdJD/UgdSmqSy65TGd:bZEeqhhhtzorHdJD/UgdSmqSy65TGd

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1636	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2684	powershell.exe
2684	powershell.exe
1744	powershell.exe
1744	powershell.exe
2964	powershell.exe
2964	powershell.exe
2176	powershell.exe
2176	powershell.exe
820	powershell.exe
820	powershell.exe
2524	powershell.exe
2524	powershell.exe
2144	powershell.exe
2144	powershell.exe
2540	powershell.exe
2540	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 1636	796	WScript.exe	29
PID 796 wrote to memory of 1636	796	WScript.exe	29
PID 796 wrote to memory of 1636	796	WScript.exe	29
PID 2672 wrote to memory of 2700	2672	taskeng.exe	31
PID 2672 wrote to memory of 2700	2672	taskeng.exe	31
PID 2672 wrote to memory of 2700	2672	taskeng.exe	31
PID 2700 wrote to memory of 2684	2700	WScript.exe	33
PID 2700 wrote to memory of 2684	2700	WScript.exe	33
PID 2700 wrote to memory of 2684	2700	WScript.exe	33
PID 2684 wrote to memory of 1808	2684	powershell.exe	35
PID 2684 wrote to memory of 1808	2684	powershell.exe	35
PID 2684 wrote to memory of 1808	2684	powershell.exe	35
PID 2700 wrote to memory of 1744	2700	WScript.exe	36
PID 2700 wrote to memory of 1744	2700	WScript.exe	36
PID 2700 wrote to memory of 1744	2700	WScript.exe	36
PID 1744 wrote to memory of 2996	1744	powershell.exe	38
PID 1744 wrote to memory of 2996	1744	powershell.exe	38
PID 1744 wrote to memory of 2996	1744	powershell.exe	38
PID 2700 wrote to memory of 2964	2700	WScript.exe	39
PID 2700 wrote to memory of 2964	2700	WScript.exe	39
PID 2700 wrote to memory of 2964	2700	WScript.exe	39
PID 2964 wrote to memory of 1668	2964	powershell.exe	41
PID 2964 wrote to memory of 1668	2964	powershell.exe	41
PID 2964 wrote to memory of 1668	2964	powershell.exe	41
PID 2700 wrote to memory of 2176	2700	WScript.exe	42
PID 2700 wrote to memory of 2176	2700	WScript.exe	42
PID 2700 wrote to memory of 2176	2700	WScript.exe	42
PID 2176 wrote to memory of 2548	2176	powershell.exe	44
PID 2176 wrote to memory of 2548	2176	powershell.exe	44
PID 2176 wrote to memory of 2548	2176	powershell.exe	44
PID 2700 wrote to memory of 820	2700	WScript.exe	45
PID 2700 wrote to memory of 820	2700	WScript.exe	45
PID 2700 wrote to memory of 820	2700	WScript.exe	45
PID 820 wrote to memory of 864	820	powershell.exe	47
PID 820 wrote to memory of 864	820	powershell.exe	47
PID 820 wrote to memory of 864	820	powershell.exe	47
PID 2700 wrote to memory of 2524	2700	WScript.exe	48
PID 2700 wrote to memory of 2524	2700	WScript.exe	48
PID 2700 wrote to memory of 2524	2700	WScript.exe	48
PID 2524 wrote to memory of 1072	2524	powershell.exe	50
PID 2524 wrote to memory of 1072	2524	powershell.exe	50
PID 2524 wrote to memory of 1072	2524	powershell.exe	50
PID 2700 wrote to memory of 2144	2700	WScript.exe	51
PID 2700 wrote to memory of 2144	2700	WScript.exe	51
PID 2700 wrote to memory of 2144	2700	WScript.exe	51
PID 2144 wrote to memory of 1720	2144	powershell.exe	53
PID 2144 wrote to memory of 1720	2144	powershell.exe	53
PID 2144 wrote to memory of 1720	2144	powershell.exe	53
PID 2700 wrote to memory of 2540	2700	WScript.exe	54
PID 2700 wrote to memory of 2540	2700	WScript.exe	54
PID 2700 wrote to memory of 2540	2700	WScript.exe	54
PID 2540 wrote to memory of 2844	2540	powershell.exe	56
PID 2540 wrote to memory of 2844	2540	powershell.exe	56
PID 2540 wrote to memory of 2844	2540	powershell.exe	56
PID 2700 wrote to memory of 2492	2700	WScript.exe	57
PID 2700 wrote to memory of 2492	2700	WScript.exe	57
PID 2700 wrote to memory of 2492	2700	WScript.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47fb37d285424a155defa75f5788442f68228ca67cf3e07d156f10c9b621e2de.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\out.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:1636

C:\Windows\system32\taskeng.exe
taskeng.exe {E8F5B58C-9F00-4686-A0B8-26E23C91BCA7} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\qSqOPawvHoBdGel.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2684" "1252"
      4⤵
      PID:1808
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1744" "1256"
      4⤵
      PID:2996
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2964" "1252"
      4⤵
      PID:1668
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2176" "1252"
      4⤵
      PID:2548
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "820" "1252"
      4⤵
      PID:864
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2524" "1252"
      4⤵
      PID:1072
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2144" "1248"
      4⤵
      PID:1720
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2540" "1252"
      4⤵
      PID:2844
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    PID:2492

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StopCompare.snd"
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\out.vbe

Filesize
8KB

MD5
1f728a1a3707688ff942828693fe5087

SHA1
b3b101a73eb95afccecd9134d59749af8172c88d

SHA256
8a9fe12c582a9899f79fa0a40befd9fd5a29fa41d4143ad6da9725c8a5aa5306

SHA512
fea26ab73e9ce1ccfa16a1df052bd049b0a9376fdd63480f596858963dbb900edb1840586c0ebce9b220340be880e12bec229d28c166d5e8bfe9afe6fc288aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259573337.txt

Filesize
1KB

MD5
44e434d4df147b31755b4378086408f0

SHA1
a3ecb0bceaff92d8c9c861b3a28b533cb0afe376

SHA256
f5d9ea17a9c3bf07ca29990aa8d26e77881e5041be054d96169c655aeb417b03

SHA512
407bccfcda7a0c34c6938b3b9cd1a86e0520f45e87dc6498cecf7482483b916b862ea6103f452068ecd117efeb32eeac13a6a08bbf5694967f72ca03f0e69296

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259591309.txt

Filesize
1KB

MD5
6e1f4ace0192f56bd43bfa729c73c2ec

SHA1
3159718ed1a0ea1e349ec24845cbd0c8752801c1

SHA256
74b719c4b82e3187777179514a94bd1c557ce25d8b9476fa3bff4233e33cf082

SHA512
7977f74b2772dc0f9738ceec800b060076270f1e123802603d162cf0391cb95e7d6ad802fc94cf4a0170d6abb146dfb7054eed0ea59889c00818f172d7dca65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259606739.txt

Filesize
1KB

MD5
0bfb94526bfee54586c110d790272617

SHA1
5288810aa5ca8c11f8b7cd14439e4e5129f8db69

SHA256
0568de6603c4aabf9b7683d67376cd52393c6e0a3581b7cd7a806f28befe7c30

SHA512
b77ea261a0cd453c69b350cf7c8268b1f7ae7b4fdc982f99b7696cfa723cc4c88bc88a4f079326386d62b610d7c975919ea51fda75bbb4ec83c34fb72ba52fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259623049.txt

Filesize
1KB

MD5
3286dad21b748e7f942f9c9b085e8a2a

SHA1
0e5039b432778e8f824bd872995f4ef1286a61fe

SHA256
373122f23fc73d306dd0c126c0c80c66eabb56547f8acc1eb78f70c144cd2e3e

SHA512
aed92db3e18ac2a57384ab75b028d04dc377451ddd2fc6f86a49ae360e8a835a4b5c6ca0585fc1e657757f739bbe62a7a90da0365e692c791b0259a100f48950

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259635233.txt

Filesize
1KB

MD5
845944c9234af87eb6bfcabb9ccac556

SHA1
e2b844bb203e755b121bbd0aed20a87c55c9b2d9

SHA256
0db4da5f5a62976c4905a49115a696777080846bda58b5f0d5eea8b77866745c

SHA512
c606a56ba3081f17d6d56c09b9f258594364dbee5454985d12f4f7a37c2393f0fcc084455d312200d59f516375c6f9f748963838857b941f882774daae5198f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259653474.txt

Filesize
1KB

MD5
81a46443c582a704f2b60c93bd75036b

SHA1
0e6d7cd8489ec2583db9b54890077d7c25044e93

SHA256
2481e45e93cf98dd9d592e29370317264acbd422403c678bdf34e52d279f1c0b

SHA512
c2ab588b653d276b1a15184c1c66b330e9421a787818479123348be13be6108fcd51070801c8075d4eef1415718700d00a3054f12b2ca1db6717dc0cfbd37285

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259668676.txt

Filesize
1KB

MD5
8a28ef323b70ae3f01b2033ac69db345

SHA1
b6cbdf76827316bdad879b553847e2e06f6d96ad

SHA256
2610e5d01be7490a3cca28b5123adf36d889b0bf244b7755e6ed99b3b7bd7aa6

SHA512
7252298a387c62c73d9fe37bd618389805ba13dac7b38863704511fef09e0dc2b1d222437d17053e24e0f2eb73b93077a101f24810d1be4d0179ee1bbdfd8a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259679759.txt

Filesize
1KB

MD5
beee6ea6e8cf62522e481cb7796444d6

SHA1
1deeb6928d548e9f25c6ab7861066783b9a20139

SHA256
c01a429a90f66ac6e5ba8820a5d93d86f0d69121cfd0d4bc3545ecdb2ca88302

SHA512
cfa72671be1698aa3df4e63d406564d7d3c13b423b808434cbd8c674c1e5006628a75da53539b1d7b7015d2c3ba0e4846eb5fbab98514ef56943a824364df7ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e8d4cc740cde9bbfcf2f27070b36315d

SHA1
6249a6c0059897c83edb70419239541e7d626d0f

SHA256
ac0cfcf63358a7bbf8ceef26bb61c36309911f3d1269121b73e0c5e1bfbfe61b

SHA512
2bf2ddcd5c9d1c907bab78ae18484580fc133500d09cdd48f734629d5491d43f26c13ac2c524b5fa2b595a169c3384b7fbdca56f4ee5f50fd23b5eda938e80bd

Download Submit
C:\Users\Admin\AppData\Roaming\qSqOPawvHoBdGel.vbs

Filesize
2KB

MD5
a27ccb57ff1d5685f3b744f83ae76ceb

SHA1
be394b0554203ad342bd5b86a3f549577cdc7ea4

SHA256
dcbcc67a49fd29985c87993db391ab12dbc531a15b24cbc7149bd74adea174fc

SHA512
6fc2b6eaf3cf055206e1253654bf8542dabebab4159f0fd049e800bce4a2f9c3638ed0e754e695e079f6baed9267db72f5c41a3b5393fd521419adb1e40e3613

Download Submit
memory/1744-20-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1744-19-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-11-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2684-10-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2684-9-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download