Analysis
-
max time kernel
29s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 18:32
Static task
static1
Behavioral task
behavioral1
Sample
Main_Order.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Main_Order.vbs
Resource
win10v2004-20250314-en
General
-
Target
Main_Order.vbs
-
Size
963B
-
MD5
8b5f64100174bb8bafd5ad78d6f2b277
-
SHA1
f284046c61b75fd44bf55661701c5e15b97efb28
-
SHA256
64f8d40a94818b9385624dc6237edee725cc7edf78c09da9fd60454a7b1e2cdc
-
SHA512
ddf8052d129252ff570e2fe21a06a69978cea57b43b75ce6f1dff2a3cb6674df9e5ff6ecec78ef3192e17841c9903823c194e2153fcbaec5268f87bc7dcf7346
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2380 WScript.exe -
pid Process 2756 powershell.exe 2364 powershell.exe 2160 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2928 tmp1094.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmp1094.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2216 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2756 powershell.exe 2928 tmp1094.exe 2928 tmp1094.exe 2928 tmp1094.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2756 powershell.exe Token: SeDebugPrivilege 2928 tmp1094.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2756 2380 WScript.exe 31 PID 2380 wrote to memory of 2756 2380 WScript.exe 31 PID 2380 wrote to memory of 2756 2380 WScript.exe 31 PID 2756 wrote to memory of 2928 2756 powershell.exe 33 PID 2756 wrote to memory of 2928 2756 powershell.exe 33 PID 2756 wrote to memory of 2928 2756 powershell.exe 33 PID 2756 wrote to memory of 2928 2756 powershell.exe 33
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Main_Order.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\DownloadedScript.ps1"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2364
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gFnEPEuEhX.exe"4⤵
- Command and Scripting Interpreter: PowerShell
PID:2160
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6661.tmp"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"4⤵PID:1716
-
-
C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"C:\Users\Admin\AppData\Local\Temp\tmp1094.exe"4⤵PID:2040
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5642647cf863119977d7bd52e848e0cfe
SHA1e72fff2ea6ed161b3d3d6f22c23551b5df46d965
SHA2567eb324d64219307096ea286640458671dc964fb218395d775dc5fe5e7f339e00
SHA5126c5a9d36008c6b88735646517d62706ccd1713fa15beafdee6ca5e0fb3977bb770fc9ecf9111b82b6dcd6c126fc18f6655f195027f72df159a2e63f9c61c734b
-
Filesize
973KB
MD56b2ea6f71bd2165cc92875b0b87862de
SHA1913189ac1120dd8aa61658c53e71a0b9c2908c46
SHA256e5aa1acd8c864164ebb1e0c2cfede53df7791f504c1eb1faa15d5f637e938ebd
SHA512b7c207b47738b43b5ee398ac325a5ebc588a74a5b3b16b4f864bf7feff92c627549b3523a1f302b6a42c66803055a931fbf5d181bba7f0c28d770dcc3d146d4a
-
Filesize
704KB
MD5be43b45393c545c828c778a375df057b
SHA13d18dc7ce1f2681b3caa99cbe01fe79e717f162c
SHA2568531caff85bb275279c74eeb2aa56d2881e099273d8758967f0c86efe6d3b5cb
SHA512f33fca7dab76c84ff8b34d462737040a9a530674bd830c9077a5dcba3dd5f1a841c7eadde823760da453ec1fe398eb39e55d4728d26395c48e36822e224d9ea4
-
Filesize
64KB
MD5499c2bc1c2a43ba597a5b40a4ce58274
SHA1131e32f319f25d6b1075f783a93efa985a800820
SHA256978da2b2f3663120e70e6a084c4a23ecab2b8fb07562a02b5821c8f22e5e0425
SHA51295e3074bc9bccc7b116ef83e7e7b1a20760d06156528abd8b07968d8157d8b52f932886f8386774898e4c67adc3521dd6578d3adb65a70a8a1b402316f0c69cb
-
Filesize
19KB
MD5fac8e85f65c6d2495ab038f325bebe9b
SHA18dc0ad61d6ad3389c5ca37493a17996cc6079017
SHA256f658d11f4dbda12dbf2bc2a402cb1b873d3e1fc770ae7dd1047eb4a72d5f4633
SHA512c11e9113a088b9e5d62e43fee36e5c9d04f30f7540ac5a4ae592c4a2ce2e8869204c80ebb6e78f07c6022bc321ea0e22947e2725649bffdd84c0bc183b5d471a
-
Filesize
1KB
MD52a8dd08f3a2748ec23032719a2960ffa
SHA114686f33770f5324e5536d9bdfde5c6ed68d740f
SHA256023d53fdee34f8a8fd108df28b2d6aa1c2b56f7e73848edca760043c3d49d204
SHA512cf6288c7b961325a63d895c57171fc04233279bf00ed9e39ff2dc041804913c6a88a72df4017c0b76dc30216f444cdbbf0fd26948164d4ffee0c4a527fe97185
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KAGMF5IZIQV5XTX82F5B.temp
Filesize7KB
MD5804bdc01889130a365e3b203673dae20
SHA1530e49406ec7023215cbae14e6a7fa924c438479
SHA2568e828cb4afc7c167afd702dfb9d53d16e860bedcc11c5c05690720216111372d
SHA512f73128d969e477b8efa03bd154ee066b96c6d303bd165795839927eefeaff0bdf7bb04791c4340acdc3fbb02d7bb5f54ab08b2be3df435b3cdd0b40ee7afb8b7
-
Filesize
439KB
MD538f5c7670065c75095d36f5118e7f6a6
SHA1485d312327b0888aeb2ff3b773fc94828b7cba30
SHA256580ee7501aa1ba16e577f7a6f9af8eddfe0408a58688cbcc099cb0972c539ac3
SHA5120b44ea3bf7e01703fbe1753a99ccec3a1fbbfa6d960a3d2414652057b24c7862787d8679aedd37217d097fc5e4b88357c1c88db47963fd0f6683d336e4af1b1f