6dff95543349b52e92d24de0cec7a689dcc3e298dbcda9f92c9386af99351b1b

Analysis

max time kernel
139s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Doc_LOI.vbe
Size

8KB
MD5

608aa4b6781b5333f940f9d0a933313f
SHA1

72282fe231e6e43d0785188e5e8509ff9bd59b8c
SHA256

13d3a1cdba937a0d1dcf706e85b320da66b2cc1ec1193839319511688847abbc
SHA512

3dbf0e3538070a372adb492b771e8360b02f4f3c0cf09092493d0c9bf487eefb26a8ee3a468047f3f36b284f34325e21f6c77b7352ca9e38a20b53c092f2684c
SSDEEP

192:3eS9aNfePvTsC7kYna9INmRo4OCk01bB3K:tsmj7k4aaYRtOCLBa

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2492	WScript.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2984	powershell.exe
2984	powershell.exe
2560	powershell.exe
2560	powershell.exe
1460	powershell.exe
1460	powershell.exe
1640	powershell.exe
1640	powershell.exe
1132	powershell.exe
1132	powershell.exe
2440	powershell.exe
2440	powershell.exe
2404	powershell.exe
2404	powershell.exe
2456	powershell.exe
2456	powershell.exe
2604	powershell.exe
2604	powershell.exe
2884	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 924	2340	taskeng.exe	32
PID 2340 wrote to memory of 924	2340	taskeng.exe	32
PID 2340 wrote to memory of 924	2340	taskeng.exe	32
PID 924 wrote to memory of 2984	924	WScript.exe	34
PID 924 wrote to memory of 2984	924	WScript.exe	34
PID 924 wrote to memory of 2984	924	WScript.exe	34
PID 2984 wrote to memory of 2576	2984	powershell.exe	36
PID 2984 wrote to memory of 2576	2984	powershell.exe	36
PID 2984 wrote to memory of 2576	2984	powershell.exe	36
PID 924 wrote to memory of 2560	924	WScript.exe	37
PID 924 wrote to memory of 2560	924	WScript.exe	37
PID 924 wrote to memory of 2560	924	WScript.exe	37
PID 2560 wrote to memory of 788	2560	powershell.exe	39
PID 2560 wrote to memory of 788	2560	powershell.exe	39
PID 2560 wrote to memory of 788	2560	powershell.exe	39
PID 924 wrote to memory of 1460	924	WScript.exe	40
PID 924 wrote to memory of 1460	924	WScript.exe	40
PID 924 wrote to memory of 1460	924	WScript.exe	40
PID 1460 wrote to memory of 2860	1460	powershell.exe	42
PID 1460 wrote to memory of 2860	1460	powershell.exe	42
PID 1460 wrote to memory of 2860	1460	powershell.exe	42
PID 924 wrote to memory of 1640	924	WScript.exe	43
PID 924 wrote to memory of 1640	924	WScript.exe	43
PID 924 wrote to memory of 1640	924	WScript.exe	43
PID 1640 wrote to memory of 892	1640	powershell.exe	45
PID 1640 wrote to memory of 892	1640	powershell.exe	45
PID 1640 wrote to memory of 892	1640	powershell.exe	45
PID 924 wrote to memory of 1132	924	WScript.exe	46
PID 924 wrote to memory of 1132	924	WScript.exe	46
PID 924 wrote to memory of 1132	924	WScript.exe	46
PID 1132 wrote to memory of 2412	1132	powershell.exe	48
PID 1132 wrote to memory of 2412	1132	powershell.exe	48
PID 1132 wrote to memory of 2412	1132	powershell.exe	48
PID 924 wrote to memory of 2440	924	WScript.exe	50
PID 924 wrote to memory of 2440	924	WScript.exe	50
PID 924 wrote to memory of 2440	924	WScript.exe	50
PID 2440 wrote to memory of 2420	2440	powershell.exe	52
PID 2440 wrote to memory of 2420	2440	powershell.exe	52
PID 2440 wrote to memory of 2420	2440	powershell.exe	52
PID 924 wrote to memory of 2404	924	WScript.exe	53
PID 924 wrote to memory of 2404	924	WScript.exe	53
PID 924 wrote to memory of 2404	924	WScript.exe	53
PID 2404 wrote to memory of 768	2404	powershell.exe	55
PID 2404 wrote to memory of 768	2404	powershell.exe	55
PID 2404 wrote to memory of 768	2404	powershell.exe	55
PID 924 wrote to memory of 2456	924	WScript.exe	56
PID 924 wrote to memory of 2456	924	WScript.exe	56
PID 924 wrote to memory of 2456	924	WScript.exe	56
PID 2456 wrote to memory of 2852	2456	powershell.exe	58
PID 2456 wrote to memory of 2852	2456	powershell.exe	58
PID 2456 wrote to memory of 2852	2456	powershell.exe	58
PID 924 wrote to memory of 2604	924	WScript.exe	59
PID 924 wrote to memory of 2604	924	WScript.exe	59
PID 924 wrote to memory of 2604	924	WScript.exe	59
PID 2604 wrote to memory of 2056	2604	powershell.exe	61
PID 2604 wrote to memory of 2056	2604	powershell.exe	61
PID 2604 wrote to memory of 2056	2604	powershell.exe	61
PID 924 wrote to memory of 2884	924	WScript.exe	62
PID 924 wrote to memory of 2884	924	WScript.exe	62
PID 924 wrote to memory of 2884	924	WScript.exe	62
PID 2884 wrote to memory of 2880	2884	powershell.exe	64
PID 2884 wrote to memory of 2880	2884	powershell.exe	64
PID 2884 wrote to memory of 2880	2884	powershell.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Doc_LOI.vbe"
1⤵
- Blocklisted process makes network request
PID:2492

C:\Windows\system32\taskeng.exe
taskeng.exe {FE62ABE8-707F-4018-9CB3-8DBCAFBDA8F9} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2984" "1236"
      4⤵
      PID:2576
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2560" "1248"
      4⤵
      PID:788
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1460" "1240"
      4⤵
      PID:2860
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1640" "1244"
      4⤵
      PID:892
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "1132" "1244"
      4⤵
      PID:2412
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2440" "1236"
      4⤵
      PID:2420
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2404" "1240"
      4⤵
      PID:768
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2456" "1240"
      4⤵
      PID:2852
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2604" "1252"
      4⤵
      PID:2056
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2884" "1236"
      4⤵
      PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259445984.txt

Filesize
1KB

MD5
00a0e764f7908f08446c78c453f941b1

SHA1
ad0b9e79a492fc70fdd719f6c46c4953df6424f2

SHA256
1ba07df76d477560526c91df6421df7eebe37eb5ff5165a15e2960645de68aeb

SHA512
aebff6cd6d45cc431a14f224561796923cd9251dae5d8ee42a68894f266427b2e361db586cad98f1efcdc09719735750124597b10a3b2a1974e1d9f34b303b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259461635.txt

Filesize
1KB

MD5
aa21bad2eb9d548718de49e6ab0960a1

SHA1
201a84b01d7432fb8450cdd572c139d8056c8355

SHA256
8178e41b2070484185fdfa62340b93bc9b19137e9a326af247f807bc56877d6a

SHA512
7700549ba78cacd662e927e5cd2a6504829d545541a6ca6ec3c671e562e4d5d9e6403d97cbc133af736a97972c741e0edef69d746bd87717c663d254ef4434ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259479220.txt

Filesize
1KB

MD5
ad175403114755534e143a488f57275c

SHA1
32ab5735de20ec2c1c1923918e2de5eab713d79e

SHA256
fdbf3259e8eea7a9e579109e2f9fc5df09c4a1a64159bf7439eb12a6ed8bdbc1

SHA512
f3a85fea7a8b81aabdd94d40b3cb1778421dd721f61ad12c2ff6abba2d301c3d4023bdae8a18d1f1cb53a4aa46d4bdf14827362fe7a9acc66cc314037fed73de

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259491875.txt

Filesize
1KB

MD5
7b044d021fd7d2ef0bf2c70847a163d8

SHA1
ff28be32a180e5f122aea59c13b11cd2d1d07cc9

SHA256
a7965b671da3a15c33b480464ba4cc7c879d6414697f8393b0024da24ab4639a

SHA512
07954a0762107d062372fc35ce391cef719fc83ff7fce04d78363748658c41d863e8c3d89be9582934a7641c60f8cbc3df18588ad65f510136fd1e3a37dd4cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259509721.txt

Filesize
1KB

MD5
0a6e86487cc4a58e4295f3f4bff7ab93

SHA1
5611798db91e7fb6f5a8ead3ef24fbe37929c805

SHA256
1d13e4401579d62467421a7282a7d596f5c08de1e0594be83db7a0a43d029e05

SHA512
f698f47da9c020e416f5b6e39ee7541d4e4a33ae35875c34a16bf1e97bad2e21bf6014b7a5b7b6c61fa48b791a1124e376e8f5e5e2defe53777bc20e31d63190

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259525993.txt

Filesize
1KB

MD5
95ef1dd4d90b67852170631644a14c6d

SHA1
a32eaf5872b568d57e01abd78b33429e29fb44d3

SHA256
dbf125931c4a8794999cd9de166d09c99adf4f1100d396552ad484b8c99d762f

SHA512
c272985c0b772e8fac174f831b8378101e830a5991b4b9a3357c68fa11b0a09080e1647630ffae442f4534bc8f03b6c2d0a6371d0bdfd08633e02d793f92667c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259551904.txt

Filesize
1KB

MD5
4e824efa6dfc6de480043bc4971a6391

SHA1
7c030b6f792e234442f5625687beb9c81cf94eed

SHA256
63b91b925d93057f2fd050faaaef91f2e448dc1993f01700ceddc7a059417602

SHA512
0e606eb6e21d8d8e0a857f3673a387e8b683e1032ec9fe45d5d34ec99c29f37972d5d4ab2bca2533275ab1ff525493998ba6324f76e9a07a2b0b751628cbceb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259570760.txt

Filesize
1KB

MD5
e2fbbe71c1480379b45b41410a27cc5d

SHA1
5210324fea6360ad39d0122e49c03a18cd023921

SHA256
def842c5e5e988dd6df56b68cb0d13de8ed931cfa5f99ba1285b1c47abf979c0

SHA512
7f077a0674079629efada744118f561fef2f2a7b3f454413b69868d9b8a931a52d62fe7197f97253694d6ca3695429fe8e7ed01cb670030a74afee0671c2b17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259586319.txt

Filesize
1KB

MD5
ba86efbe3d518014eff34400cd106fdf

SHA1
77f12179b953bbe1cb29b038dadabfdc96d0af6f

SHA256
b8c28cdc18985824067040697de9fad577a833b0599c24cf0eadc05e8a98325a

SHA512
67e438942774a9c533468102ab3d75efd26abe55fc2fdc840851cd1c064d6927cce52efe505475fbcb9395cfdf361cdcc51f8f42c0108418745b30e74a990c84

Download Submit
C:\Users\Admin\AppData\Roaming\MGarnpObOtlJFvM.vbs

Filesize
2KB

MD5
6892edb9f965b62befb2ef9a8b583b55

SHA1
fa825f6f1639d4f7a58e4b6a0e3d3b016a5194cf

SHA256
0dae80f252e22ede7270ecb5ee2142b9d711479595c71279201738b539d934c6

SHA512
e6ef2854016748f997e7a251f2a9e6cbe71906dd4f30bd72bc3478d08771a9261afd7a7ed1b52968135ea657f9c6886d0cb9b6e36a382db4f800fccebf09ecbd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cd570805eda1b82f9c81f79ba2c2a763

SHA1
dd62d68c2e57e3808000e933891413e6a33219dc

SHA256
6b27a8de7a94f3dc054813e327dd37409d2fb6da8574e25eacac836befb89581

SHA512
8eb8b2ca5d1257bdb38294797024bcbd2899802758ff3cc32b29d95d179daa5481ea902a6ac2857e7db96da644f103449b08618c82bf3ea41c9d65e06b82ffe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L9MZ9Y4D3NYGZL5EBHJA.temp

Filesize
7KB

MD5
4e85b28b1117d8d742f99a41e936dba4

SHA1
5bea7e3c86b77d436163fcd1766067fb6f4f94cd

SHA256
7331abf00938e14a5c8072549fe4830d8d067a14bca7afa949481339238cfda1

SHA512
84c2d00a69fad35ce0e2776c4e51d0acdea7bc6db17649f6f40df084db4ef8bb5b659d10374680a3400ab44276ad2b32233e13e2ed4337583e30068e4ac1444c

Download Submit
memory/2560-18-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2560-17-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-6-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-7-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2984-8-0x0000000002AE0000-0x0000000002AE8000-memory.dmp

Filesize
32KB

Download