3281e12696162f5fad62ef950cf21c709a364ebc272de6b7e1aeb5a5c365380e

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

954B
MD5

ba8126ebff4ef9d65a0c1a4a2cd472ae
SHA1

df5853cfa0dee40c97066fb26a1d3fe998db0d17
SHA256

3281e12696162f5fad62ef950cf21c709a364ebc272de6b7e1aeb5a5c365380e
SHA512

b07440e7f3584fff2430cc9b56d75859810b4e9546a6d3047822a1cef1b6ee8ab8a9fa917b2300c95fb0ab65a2b24998577be5b8a3ea9114b36ab631dc2a5aed

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\ohci1394.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\atikmdag.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\rndismpx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\bthenum.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\acpi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksthunk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\umbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\RDPENCDD.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\intelppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\parport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\monitor.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\MTConfig.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\NV_AGP.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fastfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\HdAudio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\UAGP35.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\pnpmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tcpip.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\RNDISMP.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\mouhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\vdrvroot.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbrpm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\isapnp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ULIAGPKX.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ipnat.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\partmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sermouse.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\pcmcia.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\srv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volsnap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\portcls.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vga.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\qwavedrv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\mssmbios.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ntfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\RDPCDD.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbFlt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\fltmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\de-DE\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\BrParwdm.sys.mui	cmd.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\netvwifibus.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR9A57~2.INF\Amd64\CNB_0302.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNRC0~2.INF\prnrc003.inf	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\imapi2.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\audiodg.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\ql40xx2.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\whealogr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\de-DE\sr.mfl	cmd.exe
File opened for modification	C:\Windows\System32\wbem\wbemcore.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\prngt004.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNNE3~1.INF\prnne30a.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIAXX0~1.INF\xrWPcpst.dll	cmd.exe
File opened for modification	C:\Windows\System32\nshipsec.dll	cmd.exe
File opened for modification	C:\Windows\System32\ras\switch.inf	cmd.exe
File opened for modification	C:\Windows\System32\wbem\fr-FR\Microsoft-Windows-OfflineFiles.mfl	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\rtffilt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\crypt32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-io-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNBR0~4.INF\Amd64\BRMF490N.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRD56E~1.INF\Amd64\EP0NGE6C.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR07D8~1.INF\Amd64\KYTS250c.PPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRA1B1~1.INF\Amd64\RIAS41L6.GPD	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\unimdm.tsp.mui	cmd.exe
File opened for modification	C:\Windows\System32\PRINTI~1\es-ES\prnport.vbs	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\attrib.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\mycomput.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\RestartManagerUninstall.mfl	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnep003.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY0~1.INF\Amd64\KYK3225E.PPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\it-IT\netrndis.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\aaclient.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\sdautoplay.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMDCM~1.INF\mdmdcm5.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRDD90~1.INF\Amd64\CNBDUP1.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNNR0~1.INF\Amd64\NR2510.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\prngt002.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\fontview.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\sfc.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\bridgeres.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMTDK~1.INF\mdmtdk.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\NFRD96~1.INF\nfrd960.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNLE0~3.INF\Amd64\LN2171E3.PPD	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\diagperf.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\Licenses\OEM\HOMEPR~1\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\pt-BR\WMPhoto.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\fr-FR\l2gpstore.mfl	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNOK0~1.INF\Amd64\OKML790.GPD	cmd.exe
File opened for modification	C:\Windows\System32\en-US\QShvHost.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\KBDEST.DLL	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\umpnpmgr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\dpnhpast.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNNR0~2.INF\Amd64\NR45006.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WI4BF3~1.INF\CNHL950.DLL	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\ppdlic\Shell-InBoxGames-SpiderSolitaire-ppdlic.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\wsock32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\en-US\powershell.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\it-IT\about_Arithmetic_Operators.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\slui.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIACA0~3.INF\CNHL210.DLL	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\Licenses\OEM\StarterN\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\Licenses\_Default\HOMEPR~2\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\webio.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\ws2_32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\CXRAPT~2.INF\cxraptor_IBV64.sys	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2804	reg.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2888	2124	WScript.exe	28
PID 2124 wrote to memory of 2888	2124	WScript.exe	28
PID 2124 wrote to memory of 2888	2124	WScript.exe	28
PID 2124 wrote to memory of 2804	2124	WScript.exe	30
PID 2124 wrote to memory of 2804	2124	WScript.exe	30
PID 2124 wrote to memory of 2804	2124	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System32
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Boot or Logon Autostart Execution: Print Processors
  - Drops file in System32 directory
  - Modifies termsrv.dll
  PID:2888
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2804