f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
138s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

1KB
MD5

77a4da4863ffcaba51ce05d3c632158d
SHA1

253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256

ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512

ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3972	powershell.exe
4596	powershell.exe
3060	powershell.exe
2392	powershell.exe
4992	powershell.exe
2980	powershell.exe
2980	powershell.exe
4940	powershell.exe
4940	powershell.exe
2892	powershell.exe
2892	powershell.exe
664	powershell.exe
664	powershell.exe
2100	powershell.exe
2100	powershell.exe
4012	powershell.exe
4012	powershell.exe
2100	powershell.exe
4596	powershell.exe
3972	powershell.exe
3972	powershell.exe
4596	powershell.exe
4992	powershell.exe
4992	powershell.exe
3060	powershell.exe
3060	powershell.exe
2392	powershell.exe
2392	powershell.exe
2892	powershell.exe
2980	powershell.exe
4940	powershell.exe
664	powershell.exe
4012	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

WScript.exeWScript.exe

description	pid	process	target process
PID 2232 wrote to memory of 2908	2232	WScript.exe	WScript.exe
PID 2232 wrote to memory of 2908	2232	WScript.exe	WScript.exe
PID 2908 wrote to memory of 4992	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4992	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 3972	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 3972	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4596	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4596	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 3060	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 3060	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2392	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2392	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2980	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2980	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4940	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4940	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 664	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 664	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2892	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2892	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4012	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 4012	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2100	2908	WScript.exe	powershell.exe
PID 2908 wrote to memory of 2100	2908	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate
2⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
22747fd6c87011eae0f96fae5f3f865e

SHA1
c17ab31d07c83f4c6d7479021a06664e56c64f50

SHA256
cdbbe31fb09c9082c5c46ab3b47e1c8d1d726457e449397451a8a990ac5307ac

SHA512
35fb7aae3117073c1defad32e47f78ebfacad13bea6cc96b78649e1c299fb6bc8867e7b2e54d39785b254b5c8fe23e007cdb7aba2577223fa2e5843885aa8f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a9500d211a9d97701ff1a306ea727f19

SHA1
4b9ebc421ab5c9b1cdbac9c06a43cee049a83568

SHA256
c6728bd8e3ba6480b9f05a8c8cc235702fab5a5c5bc984bb0cb102a252dd2b83

SHA512
47b48a3a068e60cc0e8b66e6c0058798e43591ff936cf28ca697da56e750197173e4fd4a9bc649698542c26ffcb65fca949187b77f0edb4cb584c6e2b4d4a428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a5ace5b1e1392854c698257bee4f3e7a

SHA1
47aed60a3a2fc5157dd62b0849a411f616fb3072

SHA256
c99619b5acdc7217bbd262106129ea1661b531c2890476300771b706477d9734

SHA512
ed15a10ff08892d8a49b04c3b208016be3f416813ed233e30c2d41ceb0720b5c987101fa4dee8d5adafcfb823784c40011f1c1aba141110f3a7a5a276e14144e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
ca885ce2b7a4be34acd565a65ea19984

SHA1
8c5d9a4507aab2ef743cd08cee8d0dff7a43bb99

SHA256
c22434ffab6b0df6d60e3f56e0f87e550abd72566622de3d7458ba027ed7378c

SHA512
1cba207f47a009cbc0fdf2a6cf13ef8215e7b28c7d0912006238db9c91dc23c0528e3ba87e02bddc6c7588b346954d4f9bbf426d80159d163318a8b63cc5cebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
393b0dd912015db6b9f455c13c931b61

SHA1
423466b784b87d0924a441df0b201be898972d5f

SHA256
a36a9813bf3b96ead474179b0a07fd96e13abc1920eb0a4828eca5fc34a27d12

SHA512
b96f994b5a40b1e618886813cb5e2486ec0237de7d892ca10dbf7f441733b5161b30343de96e5b6df783373e02f14e41db5a5e63bed0aaaf907d1fb115041e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvzjgamk.002.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/664-127-0x00000148DDEF0000-0x00000148DE10C000-memory.dmp

Filesize
2.1MB

Download
memory/2100-106-0x0000023CF5FF0000-0x0000023CF620C000-memory.dmp

Filesize
2.1MB

Download
memory/2392-116-0x00000220D9B90000-0x00000220D9DAC000-memory.dmp

Filesize
2.1MB

Download
memory/2892-113-0x0000026824DC0000-0x0000026824FDC000-memory.dmp

Filesize
2.1MB

Download
memory/2980-128-0x000001BE987C0000-0x000001BE989DC000-memory.dmp

Filesize
2.1MB

Download
memory/3060-119-0x000001DEC7A30000-0x000001DEC7C4C000-memory.dmp

Filesize
2.1MB

Download
memory/3972-9-0x00000207C5E30000-0x00000207C5E52000-memory.dmp

Filesize
136KB

Download
memory/3972-105-0x00000207C5AE0000-0x00000207C5CFC000-memory.dmp

Filesize
2.1MB

Download
memory/4012-131-0x0000021B2AA90000-0x0000021B2ACAC000-memory.dmp

Filesize
2.1MB

Download
memory/4596-109-0x0000029072310000-0x000002907252C000-memory.dmp

Filesize
2.1MB

Download
memory/4940-122-0x0000020C1F8F0000-0x0000020C1FB0C000-memory.dmp

Filesize
2.1MB

Download
memory/4992-110-0x00000226A2930000-0x00000226A2B4C000-memory.dmp

Filesize
2.1MB

Download