Analysis

  • max time kernel
    82s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 08:56

General

  • Target

    HEUR-Trojan-Downloader.Script.vbs

  • Size

    46KB

  • MD5

    99ec3237394257cb0b5c24affe458f48

  • SHA1

    5300e68423da9712280e601b51622c4b567a23a4

  • SHA256

    ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

  • SHA512

    af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

  • SSDEEP

    384:m71ThEgivcqpCghtpCAhDnVLri57VurlgRL1xCLI05ej+1DPpUo/i/vFCbWZkraB:m7BGV95hIG1/d49gsCDsl

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Disables cmd.exe use via registry modification 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
  • Possible privilege escalation attempt 4 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 44 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 31 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Downloader.Script.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Downloader.Script.vbs" /elevated
      2⤵
      • UAC bypass
      • Blocklisted process makes network request
      • Disables cmd.exe use via registry modification
      • Sets file execution options in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3184
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
        3⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3252
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
          4⤵
            PID:1064
          • C:\Windows\system32\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
            4⤵
              PID:4472
            • C:\Windows\system32\reg.exe
              reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
              4⤵
                PID:4200
              • C:\Windows\system32\taskkill.exe
                taskkill /f /im explorer.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4832
              • C:\Windows\explorer.exe
                explorer.exe
                4⤵
                • Modifies Installed Components in the registry
                • Enumerates connected drives
                • Checks SCSI registry key(s)
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:412
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\System32\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:4136
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\System32 /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1604
              • C:\Windows\system32\takeown.exe
                takeown /f C:\Windows\
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:2468
              • C:\Windows\system32\icacls.exe
                icacls C:\Windows\ /Grant Users:F
                4⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:1552
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1516
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3872
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2156
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4860
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1376
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4272
        • C:\Windows\system32\wscript.exe
          wscript.exe C:\Users\Public\ghostroot\Message.vbs explorer.exe
          1⤵
            PID:4188
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
            1⤵
              PID:3304

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\USERS\ADMIN\DESKTOP\BOLBI.TXT

              Filesize

              29B

              MD5

              b37ed35ef479e43f406429bc36e68ec4

              SHA1

              5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

              SHA256

              cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

              SHA512

              d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

            • C:\Users\Admin\Music\Slap1.vbs

              Filesize

              46KB

              MD5

              99ec3237394257cb0b5c24affe458f48

              SHA1

              5300e68423da9712280e601b51622c4b567a23a4

              SHA256

              ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

              SHA512

              af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

            • C:\Users\Public\Ghostroot\KillDora.bat

              Filesize

              482B

              MD5

              4f08159f1d70d41bf975e23230033a0f

              SHA1

              ea88d6fbdcf218e0e04a650d947250d8a3dfad40

              SHA256

              d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

              SHA512

              958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

            • C:\Users\Public\ghostroot\Message.vbs

              Filesize

              55B

              MD5

              302e08c86880a39ca55f21cabfa7c5de

              SHA1

              58d56c0eb14fc0401cda7c48d6df9d23f6e9b7e3

              SHA256

              65cfb12baaa6f5891bcd7fda727933a4a12f6dbfa9a6717549eacc6dee9436c7

              SHA512

              9aac68a57cea3d00b956ff82ce443600a969dbc3e4eb2b7b12902f70e318c7dbbf7378b375dd28c0d3be0a0515c5c69d4dd5610d5778f22c4e33765d704f8ff7

            • C:\Users\Public\ghostroot\rpdbfk.exe

              Filesize

              16KB

              MD5

              c00be65597bf40636145c34fbf4788c0

              SHA1

              6809a72fc75f323137e43c91cc0465328cbb525d

              SHA256

              8861afb9340e88a7f139fe1022748db3658b31ff505de897569032a1b34ed5ea

              SHA512

              1d948c49c94daf764ed8cd2b94aa78abc7a23b1fb7a1aa8dffc529cbeeaedb52ee693113a424c75abc80f5dc1a0c69cceb291e3ab47b96811cfd72e2b4494f23

            • memory/3872-25-0x0000000004100000-0x0000000004101000-memory.dmp

              Filesize

              4KB

            • memory/4860-33-0x0000028076F30000-0x0000028076F50000-memory.dmp

              Filesize

              128KB

            • memory/4860-36-0x0000028076EF0000-0x0000028076F10000-memory.dmp

              Filesize

              128KB

            • memory/4860-40-0x0000028077500000-0x0000028077520000-memory.dmp

              Filesize

              128KB