13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_874009379.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2516	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2836	powershell.exe
2836	powershell.exe
2316	powershell.exe
2316	powershell.exe
1888	powershell.exe
1888	powershell.exe
2460	powershell.exe
2460	powershell.exe
2444	powershell.exe
2444	powershell.exe
1460	powershell.exe
1460	powershell.exe
2376	powershell.exe
2376	powershell.exe
2656	powershell.exe
2656	powershell.exe
2576	powershell.exe
2576	powershell.exe
1940	powershell.exe
1940	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 3056	2544	taskeng.exe	32
PID 2544 wrote to memory of 3056	2544	taskeng.exe	32
PID 2544 wrote to memory of 3056	2544	taskeng.exe	32
PID 3056 wrote to memory of 2836	3056	WScript.exe	34
PID 3056 wrote to memory of 2836	3056	WScript.exe	34
PID 3056 wrote to memory of 2836	3056	WScript.exe	34
PID 2836 wrote to memory of 2744	2836	powershell.exe	36
PID 2836 wrote to memory of 2744	2836	powershell.exe	36
PID 2836 wrote to memory of 2744	2836	powershell.exe	36
PID 3056 wrote to memory of 2316	3056	WScript.exe	38
PID 3056 wrote to memory of 2316	3056	WScript.exe	38
PID 3056 wrote to memory of 2316	3056	WScript.exe	38
PID 2316 wrote to memory of 348	2316	powershell.exe	40
PID 2316 wrote to memory of 348	2316	powershell.exe	40
PID 2316 wrote to memory of 348	2316	powershell.exe	40
PID 3056 wrote to memory of 1888	3056	WScript.exe	41
PID 3056 wrote to memory of 1888	3056	WScript.exe	41
PID 3056 wrote to memory of 1888	3056	WScript.exe	41
PID 1888 wrote to memory of 856	1888	powershell.exe	43
PID 1888 wrote to memory of 856	1888	powershell.exe	43
PID 1888 wrote to memory of 856	1888	powershell.exe	43
PID 3056 wrote to memory of 2460	3056	WScript.exe	44
PID 3056 wrote to memory of 2460	3056	WScript.exe	44
PID 3056 wrote to memory of 2460	3056	WScript.exe	44
PID 2460 wrote to memory of 2676	2460	powershell.exe	46
PID 2460 wrote to memory of 2676	2460	powershell.exe	46
PID 2460 wrote to memory of 2676	2460	powershell.exe	46
PID 3056 wrote to memory of 2444	3056	WScript.exe	47
PID 3056 wrote to memory of 2444	3056	WScript.exe	47
PID 3056 wrote to memory of 2444	3056	WScript.exe	47
PID 2444 wrote to memory of 1204	2444	powershell.exe	49
PID 2444 wrote to memory of 1204	2444	powershell.exe	49
PID 2444 wrote to memory of 1204	2444	powershell.exe	49
PID 3056 wrote to memory of 1460	3056	WScript.exe	50
PID 3056 wrote to memory of 1460	3056	WScript.exe	50
PID 3056 wrote to memory of 1460	3056	WScript.exe	50
PID 1460 wrote to memory of 2408	1460	powershell.exe	52
PID 1460 wrote to memory of 2408	1460	powershell.exe	52
PID 1460 wrote to memory of 2408	1460	powershell.exe	52
PID 3056 wrote to memory of 2376	3056	WScript.exe	53
PID 3056 wrote to memory of 2376	3056	WScript.exe	53
PID 3056 wrote to memory of 2376	3056	WScript.exe	53
PID 2376 wrote to memory of 2412	2376	powershell.exe	55
PID 2376 wrote to memory of 2412	2376	powershell.exe	55
PID 2376 wrote to memory of 2412	2376	powershell.exe	55
PID 3056 wrote to memory of 2656	3056	WScript.exe	56
PID 3056 wrote to memory of 2656	3056	WScript.exe	56
PID 3056 wrote to memory of 2656	3056	WScript.exe	56
PID 2656 wrote to memory of 2684	2656	powershell.exe	58
PID 2656 wrote to memory of 2684	2656	powershell.exe	58
PID 2656 wrote to memory of 2684	2656	powershell.exe	58
PID 3056 wrote to memory of 2576	3056	WScript.exe	59
PID 3056 wrote to memory of 2576	3056	WScript.exe	59
PID 3056 wrote to memory of 2576	3056	WScript.exe	59
PID 2576 wrote to memory of 1152	2576	powershell.exe	61
PID 2576 wrote to memory of 1152	2576	powershell.exe	61
PID 2576 wrote to memory of 1152	2576	powershell.exe	61
PID 3056 wrote to memory of 1940	3056	WScript.exe	62
PID 3056 wrote to memory of 1940	3056	WScript.exe	62
PID 3056 wrote to memory of 1940	3056	WScript.exe	62
PID 1940 wrote to memory of 1928	1940	powershell.exe	64
PID 1940 wrote to memory of 1928	1940	powershell.exe	64
PID 1940 wrote to memory of 1928	1940	powershell.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc_874009379.vbe"
1⤵
- Blocklisted process makes network request
PID:2516

C:\Windows\system32\taskeng.exe
taskeng.exe {0A154036-8F85-42C4-82BD-CC69037F8210} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2836" "1248"
      4⤵
      PID:2744
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2316" "1236"
      4⤵
      PID:348
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1888" "1244"
      4⤵
      PID:856
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2460" "1240"
      4⤵
      PID:2676
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2444" "1236"
      4⤵
      PID:1204
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1460" "1248"
      4⤵
      PID:2408
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2376" "1240"
      4⤵
      PID:2412
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2656" "1240"
      4⤵
      PID:2684
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2576" "1248"
      4⤵
      PID:1152
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1940" "1248"
      4⤵
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259440523.txt

Filesize
1KB

MD5
6640be1da1881850d29ba7aed3ec9b9a

SHA1
8f4e22fd195a08d01ab951e8bebe31e554fa6294

SHA256
8a2c30dd8e48bc6a5e911d0bcc8c283d7960b1eac82176c385e8f3ba2e3c4def

SHA512
05671f636fcc603ee64740848904c000dccd3454a20f2df7370ccf81ef4108490542370b9216597692b7706bc47ced18b3717ac2f541c658d314f3c61fee0ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259450760.txt

Filesize
1KB

MD5
51c96aa4ce76ea68e5824aa8b5a31ce4

SHA1
33bf3001ed40130b4433f5c043ee616ccf57613e

SHA256
aa7298a2e7ba260f83cadec75a192534d4affc8cdd717c25f634d1a62706f5fe

SHA512
906658ada18e40b87c7b8a1fca5175270efbec94fddb4a3e076ac95aa0d56eecede64cc6460d94de07bb2d1342700650006b10f1b29922d8af1d3ab552ed73f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259468801.txt

Filesize
1KB

MD5
3d41781b4e64d890d598ef991f7ec1e5

SHA1
4e12c19a77b04f01ff0a90403112fa1385bbb539

SHA256
15c08a03ccbbb39d0de9192b3ea08d6befc6fdaa99d00e96a95ebf600d18d873

SHA512
8b80fee31ba7024f7e0a2912382f5d271c676aedd9206b275dfeaf244672daa421369cccf9528559b2d867dff23753785cb68c284ff7986bc566578b630f06fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259485116.txt

Filesize
1KB

MD5
dd879febcc5a40e027e29a7291dcbf61

SHA1
4f4a9a499cf695546638c00069fa56dbe983de7a

SHA256
8f26f637781965127531d8b3c3797837f3c4c82c6c0ad7e1b5e02b12c4febee3

SHA512
eb59e5fd8f88239aadb0673f4ea8f1aa8d21fe154ea1e0706af4d5677d6f6f1dc8ce9fb8c00f8c694d7419a24e68e4a298c4b0f71847aac24d2fe2209aa2a6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259495715.txt

Filesize
1KB

MD5
f88e36fc46069f13154772c5d9a95690

SHA1
56e3ebaef5dcb0a3730f952cf6ea88c834c61bcb

SHA256
34385f5072351127ffc218911e45e15ef81dc3bfdeef4c462db9e6cdcf10bcb4

SHA512
d03117b5a2e7342b83b0dab40fde0ff252ec8a202e118ac80b55360e66a550f5321dcf48302db5c9629aa9739e679b9dcad92999d39b730b96d8149a4b2abc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259514364.txt

Filesize
1KB

MD5
3288342f84175ad34d89b6408b3063d2

SHA1
cc4d9e0c8cbff1be8ce5b430b06264517d93e20c

SHA256
3f38312520bc68bcc9d0ea018de7f4651514780ecbfbf98cbe6c16522dc85650

SHA512
2e14c62a408e6af83959aa8c5632ab8826ba50a1c0d5141bbaa6bb0385fc3d8b2cc6ccb26ee82683b596b27f3d32d64809f815fabd13d86aa4a56fcf969837ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259529788.txt

Filesize
1KB

MD5
d0f7fbd35a20d1c9da10e0009c89f39a

SHA1
a1b8d7b539119d01705123db22a35bfda82db141

SHA256
540d671b6dd066eaa97b1188ee668fd4e7f97bf4a70bb1f360b1a771e5ba23d1

SHA512
e2cd7fd199ae8ab3d69e7b1a9ff265d3324335d86c0d375f930f9a02336c54cfbd9b8ba6c4bbf1b2475665c09802cfcb3034ba16ff8edc95428eb2caa875350e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259545742.txt

Filesize
1KB

MD5
26c19dfb536e6dd359257f76049d60c9

SHA1
3cb93522863ac1163b55e9e5427ce466ef5027d9

SHA256
90a9ab8c57f43239960b190993281eae18c9866876f0681ff806f1c629c4257d

SHA512
c82cb68213b349c0553daf48a7d7e983d952a6b3c9be02081771656125a09a2f6796a0e81468267e64d79603b56dad17af23e377c4f076eaabe5874cf8c72e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259555647.txt

Filesize
1KB

MD5
5604c50e7bb07801ce1b8ff4be65d791

SHA1
96b3de80e31941e0a62d66fe05fc687e2abeeea4

SHA256
4cd36ad5422d12bce4d470c727d04218eea8cdd33badabe364a2aec22ce2ffa1

SHA512
67083416b8b747bb8db645c3fc9a90b6485d91d79ed7908c7ec557aba2a82a47b356407c2bdd56f3f667e52e1181caef9a5356af972957293e07221f8ec964ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259572092.txt

Filesize
1KB

MD5
41af9195eddc5fcc609b64f54afd2ffc

SHA1
aa54d55b2878c624099931301fcf5322803af01c

SHA256
46cc5bbeb0db0b7e57d315fbfaea21b128b6c2b70413297fbf796ec6b9b4e653

SHA512
1be8e9946293442a7b3c12a1a18a4f7d1e3093a864d361de047eb2ce9e2eca50de2777d91cca882a4282104d4f20f3690c56d309c04445c1d76f24e1e22b7ea3

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe05679dea8b56c488247fe167e6330d

SHA1
cfefb021baac5308fbfc33d96de6f141cd5f27d5

SHA256
c2048e09ff4fad49abc2ab99befaee2fec3e3c6ef80cefbb5730c4b035e98dc9

SHA512
a9ef7565deb52bb9424b1585cb291e7ab7720ebe614957acab5c55bfa95c0e86cfcfb63ee9febb61814e5a1de446ff9c5acb48d2c925e0291f2e00183862d3c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7GB8XJXJPAZY3TO99R3H.temp

Filesize
7KB

MD5
d608d4aed549549387f9dcdd582fe3c7

SHA1
6252812c5ec07fd34e13668d03e3466df4c1ef48

SHA256
6610469728c93f700c5d08d46de38cfa37f3f5001ab7220086bdbaea1e46c48b

SHA512
32f93e943017c30856a49a6659a20a1f62fb1e50da759ec8b08ecb16f552e4bbcdf099737e1bd4248e4756748fdebc7ac6f175164625aa54aa231d639a30989e

Download Submit
memory/2316-18-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2316-17-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2836-6-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2836-7-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2836-8-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download