13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc

Analysis

max time kernel
136s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_874009379.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1148	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2752	powershell.exe
2752	powershell.exe
2632	powershell.exe
2632	powershell.exe
3008	powershell.exe
3008	powershell.exe
836	powershell.exe
836	powershell.exe
2320	powershell.exe
2320	powershell.exe
1236	powershell.exe
1236	powershell.exe
848	powershell.exe
848	powershell.exe
592	powershell.exe
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2748	1836	taskeng.exe	32
PID 1836 wrote to memory of 2748	1836	taskeng.exe	32
PID 1836 wrote to memory of 2748	1836	taskeng.exe	32
PID 2748 wrote to memory of 2752	2748	WScript.exe	34
PID 2748 wrote to memory of 2752	2748	WScript.exe	34
PID 2748 wrote to memory of 2752	2748	WScript.exe	34
PID 2752 wrote to memory of 2668	2752	powershell.exe	36
PID 2752 wrote to memory of 2668	2752	powershell.exe	36
PID 2752 wrote to memory of 2668	2752	powershell.exe	36
PID 2748 wrote to memory of 2632	2748	WScript.exe	37
PID 2748 wrote to memory of 2632	2748	WScript.exe	37
PID 2748 wrote to memory of 2632	2748	WScript.exe	37
PID 2632 wrote to memory of 1132	2632	powershell.exe	39
PID 2632 wrote to memory of 1132	2632	powershell.exe	39
PID 2632 wrote to memory of 1132	2632	powershell.exe	39
PID 2748 wrote to memory of 3008	2748	WScript.exe	40
PID 2748 wrote to memory of 3008	2748	WScript.exe	40
PID 2748 wrote to memory of 3008	2748	WScript.exe	40
PID 3008 wrote to memory of 1328	3008	powershell.exe	42
PID 3008 wrote to memory of 1328	3008	powershell.exe	42
PID 3008 wrote to memory of 1328	3008	powershell.exe	42
PID 2748 wrote to memory of 836	2748	WScript.exe	43
PID 2748 wrote to memory of 836	2748	WScript.exe	43
PID 2748 wrote to memory of 836	2748	WScript.exe	43
PID 836 wrote to memory of 1796	836	powershell.exe	45
PID 836 wrote to memory of 1796	836	powershell.exe	45
PID 836 wrote to memory of 1796	836	powershell.exe	45
PID 2748 wrote to memory of 2320	2748	WScript.exe	46
PID 2748 wrote to memory of 2320	2748	WScript.exe	46
PID 2748 wrote to memory of 2320	2748	WScript.exe	46
PID 2320 wrote to memory of 1584	2320	powershell.exe	48
PID 2320 wrote to memory of 1584	2320	powershell.exe	48
PID 2320 wrote to memory of 1584	2320	powershell.exe	48
PID 2748 wrote to memory of 1236	2748	WScript.exe	49
PID 2748 wrote to memory of 1236	2748	WScript.exe	49
PID 2748 wrote to memory of 1236	2748	WScript.exe	49
PID 1236 wrote to memory of 1348	1236	powershell.exe	51
PID 1236 wrote to memory of 1348	1236	powershell.exe	51
PID 1236 wrote to memory of 1348	1236	powershell.exe	51
PID 2748 wrote to memory of 848	2748	WScript.exe	52
PID 2748 wrote to memory of 848	2748	WScript.exe	52
PID 2748 wrote to memory of 848	2748	WScript.exe	52
PID 848 wrote to memory of 816	848	powershell.exe	54
PID 848 wrote to memory of 816	848	powershell.exe	54
PID 848 wrote to memory of 816	848	powershell.exe	54
PID 2748 wrote to memory of 592	2748	WScript.exe	55
PID 2748 wrote to memory of 592	2748	WScript.exe	55
PID 2748 wrote to memory of 592	2748	WScript.exe	55
PID 592 wrote to memory of 1664	592	powershell.exe	57
PID 592 wrote to memory of 1664	592	powershell.exe	57
PID 592 wrote to memory of 1664	592	powershell.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc_874009379.vbe"
1⤵
- Blocklisted process makes network request
PID:1148

C:\Windows\system32\taskeng.exe
taskeng.exe {37908677-60DB-48EF-BCE6-B995C67B1B39} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2752" "1240"
      4⤵
      PID:2668
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2632" "1248"
      4⤵
      PID:1132
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "3008" "1240"
      4⤵
      PID:1328
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "836" "1248"
      4⤵
      PID:1796
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2320" "1240"
      4⤵
      PID:1584
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1236" "1248"
      4⤵
      PID:1348
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "848" "1236"
      4⤵
      PID:816
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "592" "1248"
      4⤵
      PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259472035.txt

Filesize
1KB

MD5
6bfc14ff6af644b31418f25d0cfbc472

SHA1
98207dce2fad6d6676cd058811706226cc035e86

SHA256
01b2fdd595a5cd6559127887ca1547e2b6f3fa6a1e9e17037a5ee55f9cb31136

SHA512
c8d34c86fa8b2e3a2405369520448443f2eda03bf685e9e2780cae3c1bb6439ea748f802fdbdab8eb96c8ee7be01e0a6a56350b04e07dbf259362128bd1570b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259481712.txt

Filesize
1KB

MD5
a06fd227febdb050f3ecc3e88a8f2750

SHA1
3001e2d1ad70b47179caff2002fff2d771489c90

SHA256
26277cc0b01381fb2cd1dc9001c1eff3cb6bae5fd2b887e788580d6f8b7fee21

SHA512
b03dde559d2afc8af1519ef4e9a6f59e108c438abd486640e75e3072473419d5bc1cd8b6e28021903ee0e08f6cc77ebf13b1b9cd1056774eb5a56a44efee9890

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259501716.txt

Filesize
1KB

MD5
0f63ac1e2c6258c568e78d7edf461061

SHA1
b28eb40f9665e3bb6486f11b2998c12f65684da0

SHA256
28331c0b96f663b10c5c0ef0baee9ac1d39e252e20fa292ba626b777a55d294a

SHA512
ccf53eadd68a6391261411492fd04af36d9ac400b12e4993139a606829adc552b07a0f7d5708b14a43615ed1eeacb2d6a4597a026480b0d8d971262a2cf07c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259515141.txt

Filesize
1KB

MD5
e44e6d97f86d84f7f82bb17aa7ac4da6

SHA1
d6f0436b2d12d15d07f2304758a70cbbdd177593

SHA256
da39cead8aad4d1e31366b7ae5a9b30ddc95fdf38047ef0343634a5b3d533174

SHA512
d9818cf8ad1746436ded7083b4953355db76d3a92a0b3282f080507673d009009cc5a8c0cad8545f4775e98ecf81f48cb0bdaf29b4bb77d2f293ca46914962ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259527276.txt

Filesize
1KB

MD5
d87b811d75f1cce0696b799f6ba28461

SHA1
9d7d62a8c6c7402cac4d6e8be0c29362baad1d17

SHA256
5fb3026e4d0a13c586d93ff22b20fcb0ad74b25a5acb28711a5b34652169df24

SHA512
4e4867fccd979e7d70d763ec0e4a6ac1ee22903c94742d398508583f1256243f2c8bcd1932c89580ade1ac9b95914fbb1307fcf5ae0678311adf17b7e67d259c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259543586.txt

Filesize
1KB

MD5
18246ec90e2349363d690ac40e0810e2

SHA1
4b41096fad1d965f3fd8ea322351aa98fc234df9

SHA256
9ddb2628d90b3b94d64b6e07abfafc435d16898e3a486d50a0ff8a9bbf458334

SHA512
bb51eb212e6cd46c21f029613061e49664153420bd26fc36e9d0ea751204899874870fd7b7bae18909d109e7a91c2672730d70dc677d4e4ecc571e6f12c8b852

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259559746.txt

Filesize
1KB

MD5
8a40d88e631cd286a601fba1f0eff292

SHA1
baa1ea7e773e040b880810d319739518259d92fe

SHA256
fef523d8fee1783d72bd136bb7e8c614e8d63fd280e6d21c736b4e75482d7ee8

SHA512
14370ca1853bf475e7f26bac8029b9d215fa58db7de61e90001ffa60b645e2bd3f5eec253e50fbae826e9d590331ebb3de3c9f6e66a2e9b4737afd1b07fe4295

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259575662.txt

Filesize
1KB

MD5
ec3a77c5cdb536b3e18ca5056b1b0a9f

SHA1
f851a2910db19349319052f7cfe896bf5916f0fd

SHA256
01db4365852af54cb00e3e07585480f138b794270058c66456e48ff328d8738e

SHA512
d3ba994092d0808c36b52f3e9ee55295a7f4e2e06d949dd42ecef985df103b564102c92dd1cfded7dffdb1b9431465f1ab4256dbda4b4c5cc53c0ca4b83d7b18

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
960fdddcb4e086d0467e800f82817dfa

SHA1
293e4bd59b4383aa1423a779f7f54e80182a1857

SHA256
faca0d13c83d2b3022bdbf20fcdc6cc38052026e0c24637be079fa3fe1140a9f

SHA512
d72791fe70e197a882d181faf1924de268d670441cfefbc1b1e1bdaacb13f9a3af8f743a9d6391ae4f35dd7833bb419e4e4cc6cf5f979c91fecb6e0660a5c6a1

Download Submit
memory/2632-17-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2632-16-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2752-7-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2752-6-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2752-8-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download