runrunlastrun.vbs

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW May 19, 2023, 7:39 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW May 19, 2023, 7:32 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 19, 2023, 7:32 a.m.	buffer: SUCCESS: The scheduled task "GoogleUpdateTaskMachineUAB" has successfully been created. console_handle: 0x0000000000000007	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 19, 2023, 7:31 a.m.	process_identifier: 1776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa1b7000 process_handle: 0xffffffffffffffff	1	0	0

Creates executable files on the filesystem (2 events)

file	C:\ProgramData\WindowsAppCertification\conf.ps1
file	C:\ProgramData\WindowsAppCertification\runps.vbs

Creates a suspicious process (3 events)

cmdline	cmd /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
cmdline	schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 19, 2023, 7:32 a.m.	show_type: 0 filepath_r: cmd parameters: /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs" filepath: cmd	1	1	0

Uses Windows utilities for basic Windows functionality (3 events)

cmdline	cmd /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
cmdline	schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"

Installs itself for autorun at Windows startup (3 events)

cmdline	cmd /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
cmdline	schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
cmdline	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

FireEye	Dropped:Trojan.Agent.ELAT
ALYac	Dropped:Trojan.Agent.ELAT
Arcabit	Trojan.Agent.ELAT
Symantec	Trojan.Gen.NPE
ESET-NOD32	PowerShell/TrojanDownloader.Agent.FUK
Avast	Script:SNH-gen [Drp]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	Dropped:Trojan.Agent.ELAT
MicroWorld-eScan	Dropped:Trojan.Agent.ELAT
Ad-Aware	Dropped:Trojan.Agent.ELAT
Emsisoft	Dropped:Trojan.Agent.ELAT (B)
VIPRE	Dropped:Trojan.Agent.ELAT
McAfee-GW-Edition	BehavesLike.VBS.Dropper.zp
MAX	malware (ai score=89)
Microsoft	Trojan:Script/Wacatac.B!ml
GData	Dropped:Trojan.Agent.ELAT
Rising	Dropper.Agent/VBS!1.E3C2 (CLASSIC)
AVG	Script:SNH-gen [Drp]

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"
parent_process	wscript.exe				martian_process	cmd /c schtasks /create /sc hourly /mo 2 /tn "GoogleUpdateTaskMachineUAB" /tr "C:\ProgramData\WindowsAppCertification\wscript.exe //b C:\ProgramData\WindowsAppCertification\runps.vbs"

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod May 19, 2023, 7:39 a.m.	inargs.CurrentDirectory: None inargs.CommandLine: wscript.exe //e:vbscript //b C:\ProgramData\WindowsAppCertification\winappversion.ini inargs.ProcessStartupInformation: None outargs.ProcessId: 1776 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe