6dff95543349b52e92d24de0cec7a689dcc3e298dbcda9f92c9386af99351b1b

Analysis

max time kernel
146s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_LOI.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2188	WScript.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2840	powershell.exe
2840	powershell.exe
2116	powershell.exe
2116	powershell.exe
1956	powershell.exe
1956	powershell.exe
2280	powershell.exe
2280	powershell.exe
1064	powershell.exe
1064	powershell.exe
272	powershell.exe
272	powershell.exe
572	powershell.exe
572	powershell.exe
2388	powershell.exe
2388	powershell.exe
2728	powershell.exe
2728	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2488	2360	taskeng.exe	32
PID 2360 wrote to memory of 2488	2360	taskeng.exe	32
PID 2360 wrote to memory of 2488	2360	taskeng.exe	32
PID 2488 wrote to memory of 2840	2488	WScript.exe	34
PID 2488 wrote to memory of 2840	2488	WScript.exe	34
PID 2488 wrote to memory of 2840	2488	WScript.exe	34
PID 2840 wrote to memory of 2680	2840	powershell.exe	36
PID 2840 wrote to memory of 2680	2840	powershell.exe	36
PID 2840 wrote to memory of 2680	2840	powershell.exe	36
PID 2488 wrote to memory of 2116	2488	WScript.exe	37
PID 2488 wrote to memory of 2116	2488	WScript.exe	37
PID 2488 wrote to memory of 2116	2488	WScript.exe	37
PID 2116 wrote to memory of 692	2116	powershell.exe	39
PID 2116 wrote to memory of 692	2116	powershell.exe	39
PID 2116 wrote to memory of 692	2116	powershell.exe	39
PID 2488 wrote to memory of 1956	2488	WScript.exe	40
PID 2488 wrote to memory of 1956	2488	WScript.exe	40
PID 2488 wrote to memory of 1956	2488	WScript.exe	40
PID 1956 wrote to memory of 1976	1956	powershell.exe	42
PID 1956 wrote to memory of 1976	1956	powershell.exe	42
PID 1956 wrote to memory of 1976	1956	powershell.exe	42
PID 2488 wrote to memory of 2280	2488	WScript.exe	43
PID 2488 wrote to memory of 2280	2488	WScript.exe	43
PID 2488 wrote to memory of 2280	2488	WScript.exe	43
PID 2280 wrote to memory of 2424	2280	powershell.exe	45
PID 2280 wrote to memory of 2424	2280	powershell.exe	45
PID 2280 wrote to memory of 2424	2280	powershell.exe	45
PID 2488 wrote to memory of 1064	2488	WScript.exe	46
PID 2488 wrote to memory of 1064	2488	WScript.exe	46
PID 2488 wrote to memory of 1064	2488	WScript.exe	46
PID 1064 wrote to memory of 236	1064	powershell.exe	48
PID 1064 wrote to memory of 236	1064	powershell.exe	48
PID 1064 wrote to memory of 236	1064	powershell.exe	48
PID 2488 wrote to memory of 272	2488	WScript.exe	49
PID 2488 wrote to memory of 272	2488	WScript.exe	49
PID 2488 wrote to memory of 272	2488	WScript.exe	49
PID 272 wrote to memory of 2172	272	powershell.exe	51
PID 272 wrote to memory of 2172	272	powershell.exe	51
PID 272 wrote to memory of 2172	272	powershell.exe	51
PID 2488 wrote to memory of 572	2488	WScript.exe	52
PID 2488 wrote to memory of 572	2488	WScript.exe	52
PID 2488 wrote to memory of 572	2488	WScript.exe	52
PID 572 wrote to memory of 2616	572	powershell.exe	54
PID 572 wrote to memory of 2616	572	powershell.exe	54
PID 572 wrote to memory of 2616	572	powershell.exe	54
PID 2488 wrote to memory of 2388	2488	WScript.exe	55
PID 2488 wrote to memory of 2388	2488	WScript.exe	55
PID 2488 wrote to memory of 2388	2488	WScript.exe	55
PID 2388 wrote to memory of 2796	2388	powershell.exe	57
PID 2388 wrote to memory of 2796	2388	powershell.exe	57
PID 2388 wrote to memory of 2796	2388	powershell.exe	57
PID 2488 wrote to memory of 2728	2488	WScript.exe	58
PID 2488 wrote to memory of 2728	2488	WScript.exe	58
PID 2488 wrote to memory of 2728	2488	WScript.exe	58
PID 2728 wrote to memory of 1196	2728	powershell.exe	60
PID 2728 wrote to memory of 1196	2728	powershell.exe	60
PID 2728 wrote to memory of 1196	2728	powershell.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc_LOI.vbe"
1⤵
- Blocklisted process makes network request
PID:2188

C:\Windows\system32\taskeng.exe
taskeng.exe {73391206-73EE-4D16-A8ED-33AB1CE79806} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2840" "1256"
      4⤵
      PID:2680
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2116" "1256"
      4⤵
      PID:692
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1956" "1256"
      4⤵
      PID:1976
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2280" "1252"
      4⤵
      PID:2424
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1064" "1256"
      4⤵
      PID:236
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:272
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "272" "1256"
      4⤵
      PID:2172
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "572" "1256"
      4⤵
      PID:2616
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2388" "1252"
      4⤵
      PID:2796
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2728" "1252"
      4⤵
      PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259465618.txt

Filesize
1KB

MD5
b68dc02548684d08ce616e42e941fa11

SHA1
13db07ac9797589d62ff60da1f2d81816f978434

SHA256
91d6e31fea7f4f7684972cb0c7756208a9f8c0d978ea03ec5d6148efe128722a

SHA512
387c58ce7324a17ba2c1f6b8ef327859d6fc60acb1cc9c6aefedd95eefff26df82ebd5ed65e76f4bc48343687c88154e2bb626a58ae9917d630ad0b9ea50d54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259485369.txt

Filesize
1KB

MD5
ada749fb13005cf7120afd78c7011c82

SHA1
4b4d8b836d8ee691ee98ba9dbee3248d41660a72

SHA256
154c89c00f1e7d9b3df9cba17508f92b599b8428fa5c74b446913fd998ebe8cb

SHA512
985f9ecfd6f5cc9cc764a930b18f3a8cd4c492363ded28183f6233a8f9b37d8ff7e9d42bc7ec2e6b5571ed29b17d8a018374220d98d501b70094985d863dd4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259499721.txt

Filesize
1KB

MD5
697f24b9d8a131559ad6da2b3792c18f

SHA1
c2095cb663aa09656d6f20d59a681716661f476f

SHA256
26b10fc3a1e2a4f7527ab9d6956f84e653a855ff0a794b14e11656d25ad6ec27

SHA512
57e234f593f725f6c530bc1fc2fac9a108ad5ca7a91aa7b3fe08a77f366b79d371e352e0bb4ac2ad15a6c1ad225c2bbeb1fa166c9acbc8ac4145056f74a88909

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259511708.txt

Filesize
1KB

MD5
42bf2800d36a077ce2d7e3b8e50dea06

SHA1
1a6a401a59eb8d0af5722eea8d169adf227a3d7b

SHA256
5163c7b1856fb4077afed6e31ecfc6350179e4624c7bb4232d058fb4ce1f923a

SHA512
36d56f0d36a658e861b1068fc09b3392ef5c15bb46515038c121d006891a7bf53491ae61bd54ed18a026d510b5f061252cf37dd1e6923a00ba915851470f273f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259529801.txt

Filesize
1KB

MD5
6dceabb280d437d0a7166b81232a3454

SHA1
7afb725358097b7d5b5267c6a144ac18b126a3d6

SHA256
9f5df9f3a1daf8269a08df666a78502aa3fccd71999330ff614cb93b481db166

SHA512
d25c9e453b3c6bcc442203400c4f7b1dbf903310244b41ef0ff1347c4a4cd706fabeb81bf000538aba4eb52b851addb9ab18c05c8f600a1a44856639888b3524

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259544360.txt

Filesize
1KB

MD5
0ca480a469f0de7ad7d86cbbe285e615

SHA1
c1d71d42213ef1b04b0693d889a156821c2a47e3

SHA256
f2cc91299aa340b637fe28aaa0915e420f9dc0c4ea286f0a803078d11a62ce6d

SHA512
c6b206fe68e0faafd8c23722862dde64f1b87b46034af7f4de58b6ff4ca46c0e5c2ee7b8ce9d8745cf0344e7a0cd7a9285bcab5997875a467b927021ad045b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259558744.txt

Filesize
1KB

MD5
dcbc90c0e116ba21e64cf53fb31e48b8

SHA1
d3cb9f33351ea827f262d41d78fb3abc3f9dba64

SHA256
ee5dd8515a1a8bf6064989646abe52254802a31c57eeda0bb84ee0752c8fddfc

SHA512
0eb8901e97eceec4119a8962252e2e702e3dc4452a51aa6d3e493bb3c09dc45277cfe6c942aaaa49d65071f1bc99b9706311a241bebeb70f1be513518a41c7ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259572476.txt

Filesize
1KB

MD5
544adb8e1b3008cbb5fe1c670af40b18

SHA1
e67107e6ef869c1dbae4870458c494ac0019cbd4

SHA256
61ff032e12f927fcec6b4b37598edb227dd7f2fae970afc2492ba9b797ad78b4

SHA512
c08ebaddb477f029bb919a1c6c591226b8303b3de4b91982fe2860fa812ebf4bd35470c30373a9a0e65be43109dec44fbf336d4f22f75af921cf5469fe7a53d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259591640.txt

Filesize
1KB

MD5
069cb04438aaa7fcf8d656b8eee7c558

SHA1
b72bc6517c4a5d8219a1f4c6f9d38856de34d9c5

SHA256
b2a1fff0117ded08fd2cd1786e0b8cc894798057d6a5ec4418fb336b14bd572c

SHA512
769f9bef4be0047a1420935586e3b3c03f6f7de31eaa82a6530d32e9b2b9153b4ccf3687e3868458f69095cd8e38fef1482bfdbe26218398048be9a0247a9e1b

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c59e4b4d969e9e34e872aa3016a3236e

SHA1
e3cb9f6029b22ed3e560de551b7cdeb2c3ffd2df

SHA256
741965c46ea373bcfb6c6c9ba8266a02f1683440ffe7c0a706ef688f1858b5d9

SHA512
8bf347f4e91ea9f549c2020f923963d43144c89aeccc339e3143ed5d4b351ad3c8c9440e4dbf8eb97b918ebed87a117ea9cdf50cb7d4efbef5625af27ec895f6

Download Submit
memory/2116-17-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2116-16-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2840-7-0x000000001B090000-0x000000001B098000-memory.dmp

Filesize
32KB

Download
memory/2840-6-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/2840-8-0x000000001B190000-0x000000001B198000-memory.dmp

Filesize
32KB

Download