6dff95543349b52e92d24de0cec7a689dcc3e298dbcda9f92c9386af99351b1b

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_LOI.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	1956	WScript.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2636	powershell.exe
2636	powershell.exe
2916	powershell.exe
2916	powershell.exe
2980	powershell.exe
2980	powershell.exe
2480	powershell.exe
2480	powershell.exe
1712	powershell.exe
1712	powershell.exe
1748	powershell.exe
1748	powershell.exe
1688	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2784	2848	taskeng.exe	32
PID 2848 wrote to memory of 2784	2848	taskeng.exe	32
PID 2848 wrote to memory of 2784	2848	taskeng.exe	32
PID 2784 wrote to memory of 2636	2784	WScript.exe	34
PID 2784 wrote to memory of 2636	2784	WScript.exe	34
PID 2784 wrote to memory of 2636	2784	WScript.exe	34
PID 2636 wrote to memory of 676	2636	powershell.exe	36
PID 2636 wrote to memory of 676	2636	powershell.exe	36
PID 2636 wrote to memory of 676	2636	powershell.exe	36
PID 2784 wrote to memory of 2916	2784	WScript.exe	37
PID 2784 wrote to memory of 2916	2784	WScript.exe	37
PID 2784 wrote to memory of 2916	2784	WScript.exe	37
PID 2916 wrote to memory of 756	2916	powershell.exe	39
PID 2916 wrote to memory of 756	2916	powershell.exe	39
PID 2916 wrote to memory of 756	2916	powershell.exe	39
PID 2784 wrote to memory of 2980	2784	WScript.exe	40
PID 2784 wrote to memory of 2980	2784	WScript.exe	40
PID 2784 wrote to memory of 2980	2784	WScript.exe	40
PID 2980 wrote to memory of 2380	2980	powershell.exe	42
PID 2980 wrote to memory of 2380	2980	powershell.exe	42
PID 2980 wrote to memory of 2380	2980	powershell.exe	42
PID 2784 wrote to memory of 2480	2784	WScript.exe	43
PID 2784 wrote to memory of 2480	2784	WScript.exe	43
PID 2784 wrote to memory of 2480	2784	WScript.exe	43
PID 2480 wrote to memory of 2328	2480	powershell.exe	45
PID 2480 wrote to memory of 2328	2480	powershell.exe	45
PID 2480 wrote to memory of 2328	2480	powershell.exe	45
PID 2784 wrote to memory of 1712	2784	WScript.exe	46
PID 2784 wrote to memory of 1712	2784	WScript.exe	46
PID 2784 wrote to memory of 1712	2784	WScript.exe	46
PID 1712 wrote to memory of 1028	1712	powershell.exe	48
PID 1712 wrote to memory of 1028	1712	powershell.exe	48
PID 1712 wrote to memory of 1028	1712	powershell.exe	48
PID 2784 wrote to memory of 1748	2784	WScript.exe	49
PID 2784 wrote to memory of 1748	2784	WScript.exe	49
PID 2784 wrote to memory of 1748	2784	WScript.exe	49
PID 1748 wrote to memory of 2024	1748	powershell.exe	51
PID 1748 wrote to memory of 2024	1748	powershell.exe	51
PID 1748 wrote to memory of 2024	1748	powershell.exe	51
PID 2784 wrote to memory of 1688	2784	WScript.exe	52
PID 2784 wrote to memory of 1688	2784	WScript.exe	52
PID 2784 wrote to memory of 1688	2784	WScript.exe	52
PID 1688 wrote to memory of 1504	1688	powershell.exe	54
PID 1688 wrote to memory of 1504	1688	powershell.exe	54
PID 1688 wrote to memory of 1504	1688	powershell.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc_LOI.vbe"
1⤵
- Blocklisted process makes network request
PID:1956

C:\Windows\system32\taskeng.exe
taskeng.exe {6BF1647A-4796-43F0-A87F-C5F31BFBEA99} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2636" "1236"
      4⤵
      PID:676
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2916" "1252"
      4⤵
      PID:756
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2980" "1236"
      4⤵
      PID:2380
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2480" "1228"
      4⤵
      PID:2328
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1712" "1236"
      4⤵
      PID:1028
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1748" "1240"
      4⤵
      PID:2024
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1688" "1240"
      4⤵
      PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259478372.txt

Filesize
1KB

MD5
0976c8e518029c2f2dad8e0203d33f7c

SHA1
697777a6e67feaf2f7baacff3f30e3a8e90746ab

SHA256
4869b8ad139077654e834b7cdfe032515b9ceb659d3f7565eae3b0619a7a2676

SHA512
6b02fa3aa058a19420f467f00863be7a64f32baf7d2520157ee18e570d508de67df5958d52d019c3135acd6ff13a8bcae8d995660ed74c7abdbd233418da4bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259496082.txt

Filesize
1KB

MD5
0d35d0a10b8fffb366c62f1dab08bed9

SHA1
4dd9cb150387da7d94f37b2b4d16983b1c8bbd78

SHA256
60a39e337de8f6f302a42ce3367a85d1ce52b1e0cd43160d962cda90b6334170

SHA512
7ff665a9e478ee406992eb23224ef7ac8b31670ec36a1046bdffce39b13d32146a8ee83dcfed06c2dc430ea145418f530bf21d505c43d7e898ff33e005461723

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259507349.txt

Filesize
1KB

MD5
455913e7a584fbeb0a9ff9315981f514

SHA1
d2c14df0959ef84f9fba0ca3c1af817feffed5db

SHA256
a0f1c1581ce3bb4810bc83b6318030a13d60af77f88f794ca99a486277197fe2

SHA512
c65dee5833ad56706a2bfad60c651244e6911b93a7c565549aa4c8ab6242ad2e6e00fa23ca2e4bda601db4b8a907f5890b4ee4d9083cbb501e03ed184a140def

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259523388.txt

Filesize
1KB

MD5
e2390e5b7b17b45858fefc361ec8c1a9

SHA1
c8c26ea57d938608d86e30b3d658bf3f0a623919

SHA256
ac2f9d26ea9df1549dc3c9ca8bcd7d812b5a5d925b01d8f8013ed773504b5654

SHA512
26dcdab96a5aed56bf23611b3c9c0e14f6b8509f887342733c4e6eec3d03da3802eb2a165165562e04ea90272b77531cca56fe7157aa45fee389b91d818590a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259539155.txt

Filesize
1KB

MD5
5c2a1aaead579972acc5226d75354017

SHA1
fa283f7c8a2f293b06f509244147f237eadf835f

SHA256
6a4082051724724306252c04843991236f044660409e24951881b520d7cddb9b

SHA512
50ad75a401b41de0bc3bdad785646c93ca64843762adce189b1e6cf012ef6001c0e1692cb0aa4d41e531054436d92a98bed524ae179d0d8354732a643a01b053

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259557242.txt

Filesize
1KB

MD5
b33d55f57731bd8ae39925a26484cb63

SHA1
8bc6a3b1defdabfabcd7669695991aeaef8e74ec

SHA256
4eaa5948acdd5ee22f9941a2da6db2fdcfb37ca8184441c48d62618d98d64274

SHA512
e64d8bff595cb76e9a25155ad1b63cf3cc457fe6bd21307888d4bc576c0727c804be785b95e57ea1bc973a1265957eb51c2147d68bb5640c23f6fd9135f7ca4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570607.txt

Filesize
1KB

MD5
97b1b1a6f7502e100b5e12de89fc9927

SHA1
bd344df165d80d3fe9121480ae042ab3c3dd7ab8

SHA256
bed2e0fafb4ba8aa3410a9b3825c2251aa399c82a9b77329d1b21383f48b6a2f

SHA512
9dc32fe0ab32f52867879c5c02303871a112c7c4e9e2def562300bfc4db2212ed8494bd3486d4ff18add121f0a92b380619f0d0cf97e8f83e4ddbce2dc18af9c

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3135bbb595939c9d500fdb3686475265

SHA1
ff4f6160ef12ffeaee63b2b7301a829228f51726

SHA256
97c38669aaf00172380502bd9ccf33358a0430b86e76a0903ee5a2cd87b8fccb

SHA512
b86c376097496267dd441e55e3641aefe4c3ae52983eeb731307c1e8eab149aca8d174bf808af58ef806e0057b9c4d8020b11ae5e14b1959951980f69b59645d

Download Submit
memory/2636-8-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2636-7-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/2636-6-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2916-17-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2916-16-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download