cadad69c5be75a30bc8b45682f0ee21e406afbc023e2a016c0de32f3f8e46352

Analysis

max time kernel
144s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.vbs
Size

368B
MD5

8a7f6196a785962acf3102ed2bacd9ff
SHA1

521aee12da238561abceeb69c7f44e78f6701bc5
SHA256

cadad69c5be75a30bc8b45682f0ee21e406afbc023e2a016c0de32f3f8e46352
SHA512

7ba51f54dcfed88a8d9dfb0e37e15b3272141d072fa690c9c8bcd9d3259e3b998ff2d2aaf894de556cba755dca0f2d0f4d9372ecbf58fa41996e13a0615296a9

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\dumpsd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\scfilter.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidir.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\amdppm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mslldp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\filetrace.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\intelide.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\NetAdapterCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wcifs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Diskdump.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storufs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\wof.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\exfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\spaceport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\amdk8.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mssmbios.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\HidTelephony.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\appid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\scsiport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Udecx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\NfcCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\storqosflt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Vid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\serial.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rmcast.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbcir.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BtaMPM.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rfxvmt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\EhStorTcgDrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdiWiFi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ataport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\afd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rfcomm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vdrvroot.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Wdf01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\Microsoft.Bluetooth.AvrcpTransport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\netvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\intelpmax.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mslldp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mspclock.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WdmCompanionFilter.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cimfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\iagpio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\condrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\EhStorTcgDrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms1.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\serial.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vhdmp.sys	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\it-IT\grpconv.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\tracerpt.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\MTFAppServiceDS.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\uxtheme.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\fhsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\hidscanner.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\profsvc.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\assignedaccessproviderevents.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\dhcpcore6.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\ntdll.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\verifiergui.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\net1ic64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vdrvroot.inf_amd64_5dbe5e81fafe4636\vdrvroot.inf	cmd.exe
File opened for modification	C:\Windows\System32\RemoveDeviceContextHandler.dll	cmd.exe
File opened for modification	C:\Windows\System32\VirtualMonitorManager.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\Locator.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\at.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\NetCfgNotifyObjectHost.exe	cmd.exe
File opened for modification	C:\Windows\System32\nlhtml.dll	cmd.exe
File opened for modification	C:\Windows\System32\wbem\en-US\WmiApRes.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\radardt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Hydrogen\BAKEDP~1\ANIMAT~1\preseteasecurveinoutexpo.hbakedcurve	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\AppResolver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\chgport.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\WpcMon.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\tpmvsc-repl.man	cmd.exe
File opened for modification	C:\Windows\System32\updatepolicy.dll	cmd.exe
File opened for modification	C:\Windows\System32\djoin.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\windowstrustedrtproxy.inf_amd64_db5be14d5e02560f\WindowsTrustedRTProxy.inf	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\powercfg.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\Windows.Shell.StartLayoutPopulationEvents.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\dwm.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\IntelTA.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\uk-UA\c_swdevice.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\BitLockerWizardElev.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\DscCore.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\joinproviderol.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\fhsettingsprovider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\twinapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\cryptcatsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\disk.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\Windows.Devices.Perception.dll	cmd.exe
File opened for modification	C:\Windows\System32\wpncore.dll	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\wcnwiz.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\lpkinstall.exe	cmd.exe
File opened for modification	C:\Windows\System32\msidle.dll	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetAdapter\MSFT_NetAdapterPowerManagement.Format.Helper.psm1	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\es-ES\PackageProvider.psd1	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\xusb22.inf_amd64_d0f2fd4c931f4672\xusb22.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wmbclass_wmc_union.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\getuname.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\iasrad.dll	cmd.exe
File opened for modification	C:\Windows\System32\PNPXAssoc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmatm2k.inf_amd64_de71647ec29a6bc2\mdmatm2k.inf	cmd.exe
File opened for modification	C:\Windows\System32\en-US\RdpSa.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\PeerDistCleaner.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\witnesswmiv2provider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\pcalua.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\migration\pnpmig.inf	cmd.exe
File opened for modification	C:\Windows\System32\refsutil.exe	cmd.exe
File opened for modification	C:\Windows\System32\WofTasks.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\wlidcli.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\adicvls.sys	cmd.exe
File opened for modification	C:\Windows\System32\ja-jp\mdminst.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2388	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2064	1448	WScript.exe	90
PID 1448 wrote to memory of 2064	1448	WScript.exe	90
PID 1448 wrote to memory of 2388	1448	WScript.exe	98
PID 1448 wrote to memory of 2388	1448	WScript.exe	98
PID 1448 wrote to memory of 2480	1448	WScript.exe	100
PID 1448 wrote to memory of 2480	1448	WScript.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System32
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Boot or Logon Autostart Execution: Print Processors
  - Drops file in System32 directory
  - Modifies termsrv.dll
  PID:2064
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2388
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ProgramName /f
  2⤵
  PID:2480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:4580