c16065ee913783880d9845488744db1baa5a223cda7f0c7142d3eb29d5a4bf71

Analysis

max time kernel
55s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 07:45

Target

run.vbs
Size

1KB
MD5

2fe3b7a5b34686041265961fc943a0ae
SHA1

1c428077f172fbaac2905a285cf69ef9b6f16457
SHA256

c16065ee913783880d9845488744db1baa5a223cda7f0c7142d3eb29d5a4bf71
SHA512

6b0197d6fbfb9e9a40465745a0406ca91b7b2ac03b158e009c14bc88218b983e212df8d0efdacc608bc71525d2195e2ad49ab7535b516a597dcfdb4e098d54b1

Score

8^/10

evasion

Disables RegEdit via registry modification 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WScript.exe

Disables Task Manager via registry modification
evasion
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Disables RegEdit via registry modification
PID:384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3136

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact