13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	1804	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2812	powershell.exe
2812	powershell.exe
2656	powershell.exe
2656	powershell.exe
1740	powershell.exe
1740	powershell.exe
1660	powershell.exe
1660	powershell.exe
1248	powershell.exe
1248	powershell.exe
1264	powershell.exe
1264	powershell.exe
1288	powershell.exe
1288	powershell.exe
2800	powershell.exe
2800	powershell.exe
2628	powershell.exe
2628	powershell.exe
2948	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2748	1940	taskeng.exe	32
PID 1940 wrote to memory of 2748	1940	taskeng.exe	32
PID 1940 wrote to memory of 2748	1940	taskeng.exe	32
PID 2748 wrote to memory of 2812	2748	WScript.exe	34
PID 2748 wrote to memory of 2812	2748	WScript.exe	34
PID 2748 wrote to memory of 2812	2748	WScript.exe	34
PID 2812 wrote to memory of 2832	2812	powershell.exe	36
PID 2812 wrote to memory of 2832	2812	powershell.exe	36
PID 2812 wrote to memory of 2832	2812	powershell.exe	36
PID 2748 wrote to memory of 2656	2748	WScript.exe	37
PID 2748 wrote to memory of 2656	2748	WScript.exe	37
PID 2748 wrote to memory of 2656	2748	WScript.exe	37
PID 2656 wrote to memory of 1324	2656	powershell.exe	39
PID 2656 wrote to memory of 1324	2656	powershell.exe	39
PID 2656 wrote to memory of 1324	2656	powershell.exe	39
PID 2748 wrote to memory of 1740	2748	WScript.exe	40
PID 2748 wrote to memory of 1740	2748	WScript.exe	40
PID 2748 wrote to memory of 1740	2748	WScript.exe	40
PID 1740 wrote to memory of 2932	1740	powershell.exe	42
PID 1740 wrote to memory of 2932	1740	powershell.exe	42
PID 1740 wrote to memory of 2932	1740	powershell.exe	42
PID 2748 wrote to memory of 1660	2748	WScript.exe	43
PID 2748 wrote to memory of 1660	2748	WScript.exe	43
PID 2748 wrote to memory of 1660	2748	WScript.exe	43
PID 1660 wrote to memory of 2220	1660	powershell.exe	45
PID 1660 wrote to memory of 2220	1660	powershell.exe	45
PID 1660 wrote to memory of 2220	1660	powershell.exe	45
PID 2748 wrote to memory of 1248	2748	WScript.exe	46
PID 2748 wrote to memory of 1248	2748	WScript.exe	46
PID 2748 wrote to memory of 1248	2748	WScript.exe	46
PID 1248 wrote to memory of 1508	1248	powershell.exe	48
PID 1248 wrote to memory of 1508	1248	powershell.exe	48
PID 1248 wrote to memory of 1508	1248	powershell.exe	48
PID 2748 wrote to memory of 1264	2748	WScript.exe	49
PID 2748 wrote to memory of 1264	2748	WScript.exe	49
PID 2748 wrote to memory of 1264	2748	WScript.exe	49
PID 1264 wrote to memory of 1932	1264	powershell.exe	51
PID 1264 wrote to memory of 1932	1264	powershell.exe	51
PID 1264 wrote to memory of 1932	1264	powershell.exe	51
PID 2748 wrote to memory of 1288	2748	WScript.exe	52
PID 2748 wrote to memory of 1288	2748	WScript.exe	52
PID 2748 wrote to memory of 1288	2748	WScript.exe	52
PID 1288 wrote to memory of 2284	1288	powershell.exe	54
PID 1288 wrote to memory of 2284	1288	powershell.exe	54
PID 1288 wrote to memory of 2284	1288	powershell.exe	54
PID 2748 wrote to memory of 2800	2748	WScript.exe	55
PID 2748 wrote to memory of 2800	2748	WScript.exe	55
PID 2748 wrote to memory of 2800	2748	WScript.exe	55
PID 2800 wrote to memory of 2724	2800	powershell.exe	57
PID 2800 wrote to memory of 2724	2800	powershell.exe	57
PID 2800 wrote to memory of 2724	2800	powershell.exe	57
PID 2748 wrote to memory of 2628	2748	WScript.exe	58
PID 2748 wrote to memory of 2628	2748	WScript.exe	58
PID 2748 wrote to memory of 2628	2748	WScript.exe	58
PID 2628 wrote to memory of 628	2628	powershell.exe	60
PID 2628 wrote to memory of 628	2628	powershell.exe	60
PID 2628 wrote to memory of 628	2628	powershell.exe	60
PID 2748 wrote to memory of 2948	2748	WScript.exe	61
PID 2748 wrote to memory of 2948	2748	WScript.exe	61
PID 2748 wrote to memory of 2948	2748	WScript.exe	61
PID 2948 wrote to memory of 2932	2948	powershell.exe	63
PID 2948 wrote to memory of 2932	2948	powershell.exe	63
PID 2948 wrote to memory of 2932	2948	powershell.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc.vbe"
1⤵
- Blocklisted process makes network request
PID:1804

C:\Windows\system32\taskeng.exe
taskeng.exe {1528CC60-E192-46D9-8094-AA9B47D889D3} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2812" "1240"
      4⤵
      PID:2832
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2656" "1248"
      4⤵
      PID:1324
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1740" "1240"
      4⤵
      PID:2932
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1660" "1244"
      4⤵
      PID:2220
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1248" "1240"
      4⤵
      PID:1508
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1264" "1252"
      4⤵
      PID:1932
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1288" "1240"
      4⤵
      PID:2284
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2800" "1252"
      4⤵
      PID:2724
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2628" "1236"
      4⤵
      PID:628
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2948" "1244"
      4⤵
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259452537.txt

Filesize
1KB

MD5
4fcb4ddd97824dbc91fe5fe820fc4ff3

SHA1
bc83cbb6c8ee1ad74227fa6640d996b03058654c

SHA256
3986cf8ef761464e97c8d8ba248cc49936fe1bd2f657377d5558e8358da2dbe9

SHA512
055dc9fbb380fef1408b988163a09575f1adcc1eee10709f584c6dffd0d42c36facaff5492bf2cb90fce03bad4ee6d28344c3152e4f5738554bc947bac1ff164

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259462219.txt

Filesize
1KB

MD5
38b36ef93a778a12a6e7f204f5b5e786

SHA1
f2d3b369bb332b41acdb00e233a28fa708851a51

SHA256
68b17c89e3ee86a2fea646f6e709fcb51a703980e02ffb915037b76395d13b41

SHA512
a9dfd23ef5f2c7a024a19f92945aa1baa1883d62e9e6d8418a60834122e92cc12f5e21f086a1bc74f5985c721d49490a0cf676553e7caf83d0f480a71970f433

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259481352.txt

Filesize
1KB

MD5
5ea3e94dc08a96bcea8619f7459e5d76

SHA1
cf761398b004f0ba91c7c70a5b179cea03f8d371

SHA256
48caf3a9ba6dd04be0e62c900ff9a09e422928d95c03ad4f6ad23edd8a2f3b9f

SHA512
927cedd155f2f561e8be24fce12a480a82ed04627dff69edf909f986a37d24e75f712736778c2780661bf79429b051fe1bdaf9cd896afbaac3d622b3dea77831

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259494431.txt

Filesize
1KB

MD5
322fe74f232c61bdaaca69426f1d4466

SHA1
a1a7be150205a006015a04fa8f458b9c7feed3fb

SHA256
f5ae4487784cb47732a78f7809d30762a7276510b6e75642b6b6395c917c7176

SHA512
7d19d795e7fe6531949e49c1d8cdb9dce0c73c13c3a4ea3ee4a453342ccc87f2cf772ba7f4b173fe0b283f36524a56faccc9632b63cc45ac432277655cb02676

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259511514.txt

Filesize
1KB

MD5
5286758353f5372b606f16ab2ef8a2e2

SHA1
6e480d96df46b21d16bc41b79b326c2644e20cfb

SHA256
ae22551afb457c54b37d1319f7a92a557c8355453608898a7c8d89336e9a4bda

SHA512
2fcba96522795487af74d75f83f09de4ebbb20ee5279b30fb23446878355c486edeb712b521a8bfadf764b75017aa83e2936c152ffc3391903ec0e07e3d1bfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259526517.txt

Filesize
1KB

MD5
04baf312afa2b99d093b21657341f00c

SHA1
18c4ed62f3292aa3a71e2056e50d8e25a3cb941f

SHA256
7b798dfef713fba4099a7160bd9ca1e2d6484d4021a00f1f666d36e0d8886ce3

SHA512
71ec47d1df6a8614556a5d67bb078f3aaeaee3ec91047e7e8e14e5d79cf4a1e1b8e2dfb63d6c910e25df05fac0da3d330ee8ecdb37d82c208417129d9e39181b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259539943.txt

Filesize
1KB

MD5
4c2ae24704bb9ad0da1c1f11da7b6196

SHA1
c3aa476498a616ec7a3056f8a46d655045982378

SHA256
12b4828cfabeba681153c611a6346a9f976935fc6ef17d6cd259e5984063c5e8

SHA512
19f7ba4f61cae4f2fe0aa1d251fa79a4e3c59c138202b93d70c26fac5e6490e50a089ec486ff88c90518515bb1227a9126012704cf12d91a5064ad0d84497c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259558172.txt

Filesize
1KB

MD5
52ccd2d6566dfe81a48851ad3f7ecda8

SHA1
6f78831dfce2595f67de2fae1e13cc2b3e21c2ba

SHA256
7b13ebd268ea0936becd33e48ff54685530fc9a5b336eca61e2526f854dae5a2

SHA512
2875576c1815456ab8f0450ce67d8bd74e61c000dac4e408c41a1d13177bc4359694e18a23dcb8f5eef94a2431129e0c5404f2f2fd6a2747bdb663f89d4b45a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259569507.txt

Filesize
1KB

MD5
d25f0c00531b106a141c9fd14cd3c701

SHA1
76f2eb960b2b84219f71051bf14aff5693b67cb3

SHA256
9d4c23c87988105ef4c658e50bb7eaf7b6a16cbbaf329967257845cadcfbb7cf

SHA512
439875a2b9b762dad60b27ee9998f876393efb1a7fa26103facdcbc6bbb80cdb17295414b2b73c565a8dfbb4c852bae7d3573fc315132679fefd73da84b6cee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259584983.txt

Filesize
1KB

MD5
1c263d185524ada06e8ff0c63b698531

SHA1
5f1e935edc5cf0d3d30cb0345efb5e979a8c1fff

SHA256
3871ad50b733ea8eed49f66691f653ed03377e53de379af88440198d128165a6

SHA512
7bfb28526a1b2482ecdd1b3520b4ffaca7f68da70a9ec6f9b77af553aa1a531afef918369b165c68a3b2714733a37ee80b694bfac7015d7f6216eff2c8d2032a

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f53297c620001d404d61a11cf4d6071a

SHA1
c8d06d13b8382b2797634e458a6ee53594147b53

SHA256
984ab56ea16172155d43a4f5b4b498de400f57c0bffc314ee031abab1c41b279

SHA512
e6253768aed0e6134d753ab375665092375fdab07ec62b2e2517bc89a72564d071e1839411bef69a9865eab3b04cb11d0bd5741d657f6c8154aeb687fc7c8854

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BU6YFOPM5YOKGN9X5W61.temp

Filesize
7KB

MD5
1f1c069b6bbea2cc8121b853bbbd0003

SHA1
ee5df54ee0b3929ef99cd8c80acdb72c033f4aec

SHA256
0c6892dc69d6ffd8f17c78972d81a98b4c7ea8e8a94e7458b31b40b7118fb780

SHA512
bd0125eff42ea1f48ee7e1c6a9d8870507d382ead15dd40b807a202c7395e77ebbbba7bcd830418b3e50e55a5c9ea07dd0b80c109a6c612f80fe98051d50c7dc

Download Submit
memory/2656-17-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2656-16-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2812-8-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/2812-7-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2812-6-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download