29b918a9bb7c8c7f8a03f91f40e5739eaddf1c4ac03a72d3dbd078186638a369

Analysis

max time kernel
165s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

run.vbs
Size

1KB
MD5

32fb13fef9f5adf8feae5d9b538c2ba9
SHA1

aebd08892d4698afee572d7a8fe71af2d3b23647
SHA256

29b918a9bb7c8c7f8a03f91f40e5739eaddf1c4ac03a72d3dbd078186638a369
SHA512

09968550b8dfe16649ce602debf2762b24f6ad5842a2826ce1c94d4ebe706b47a37372043d726366440d8d7c69510c1af1dd9e258be511c47f43fe193903163a

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\csc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\HdAudio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\portcls.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\smb.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\scsiport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\vwifibus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mouhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\usbport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxdav.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\qwavedrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\vwifibus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\pacer.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\battc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdrom.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\rndismpx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\atikmdag.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\umbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tdpipe.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\acpi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\exfat.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\ndisuio.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\wd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rassstp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vwifibus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rmcast.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\bthpan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rndismp6.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\ntfs.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\intelppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\BrParwdm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\ws2ifsl.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mssmbios.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ataport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pscr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\ipnat.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndiscap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbrpm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ws2ifsl.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\http.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gmreadme.txt	cmd.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wbem\fdrespub.mof	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\ja-JP\powershell_ise.resources.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\pegi-pt.rs.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\multiprt.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\nlsbres.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRB5CD~1.INF\Amd64\LXX940.PPD	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\mciwave.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\Vault.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\hiddigi.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~2.INF\Amd64\hpd7400t.xml	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR6FA0~1.INF\Amd64\KYUD2020.GDL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNLX0~2.INF\Amd64\LME352DN.GPD	cmd.exe
File opened for modification	C:\Windows\System32\Dism\it-IT\LogProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\fr-FR\Mcx2.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR9A57~1.INF\Amd64\CNBX4PIPELINECONFIG.XML	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~1.INF\Amd64\HPO2700T.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNSH0~1.INF\Amd64\SHC23N03.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMCPQ~2.INF\mdmcpq2.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRD56E~1.INF\Amd64\EP0NGA9A.GPD	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\DWWIN.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNRC0~4.INF\Amd64\RIA4500.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMSMA~1.INF\mdmsmart.PNF	cmd.exe
File opened for modification	C:\Windows\System32\mcicda.dll	cmd.exe
File opened for modification	C:\Windows\System32\mgmtapi.dll	cmd.exe
File opened for modification	C:\Windows\System32\scksp.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\sysclass.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\hhctrl.ocx.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\xwizards.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNCA0~2.INF\prnca00a.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~4.INF\Amd64\hpf4400t.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\OnLineIDCPL.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\brdgcfg.dll	cmd.exe
File opened for modification	C:\Windows\System32\Dism\de-DE\OSProvider.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\bcrypt.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\usbvideo.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR07D8~1.INF\Amd64\KYTS400c.PPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMRAC~1.INF\mdmracal.PNF	cmd.exe
File opened for modification	C:\Windows\System32\en-US\WF.msc	cmd.exe
File opened for modification	C:\Windows\System32\wbem\scm.mof	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNLE0~3.INF\Amd64\LN1331E3.PPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\ndisuio.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMCXP~1.INF\mdmcxpv6.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~3.INF\Amd64\hpb8500t.gpd	cmd.exe
File opened for modification	C:\Windows\System32\cryptui.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\puiapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\it-IT\about_WMI_Cmdlets.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\fr-FR\prnbr003.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\HDAUDB~2.INF\hdaudbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\cpu.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\Dism\TransmogProvider.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\BRMFCW~1.INF\brmsl02.bin	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\SFFDIS~2.INF\sffdisk.inf	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WIACA0~1.INF\CNHMWL6.dll	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\CertEnrollCtrl.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\xsl-mappings.xml	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\de-DE\about_do.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\DHCPQEC.DLL.MUI	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PH49B3~1.INF\Ph3xIB64MV.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR88CD~1.INF\Amd64\KYPS400B.GDL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\fr-FR\dc21x4vm.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\C_20278.NLS	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\d2d1.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\prnlx00x.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\VaultSysUi.exe.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
2980	taskkill.exe
2404	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2704	reg.exe
1868	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2840	Notepad.exe

Runs regedit.exe 1 IoCs

pid	Process
1300	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1300	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1300	regedit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2460	1936	WScript.exe	28
PID 1936 wrote to memory of 2460	1936	WScript.exe	28
PID 1936 wrote to memory of 2460	1936	WScript.exe	28
PID 1936 wrote to memory of 2704	1936	WScript.exe	32
PID 1936 wrote to memory of 2704	1936	WScript.exe	32
PID 1936 wrote to memory of 2704	1936	WScript.exe	32
PID 1028 wrote to memory of 1044	1028	WScript.exe	50
PID 1028 wrote to memory of 1044	1028	WScript.exe	50
PID 1028 wrote to memory of 1044	1028	WScript.exe	50

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System32
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Boot or Logon Autostart Execution: Print Processors
  - Drops file in System32 directory
  - Modifies termsrv.dll
  PID:2460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2704

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3064

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1300

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1844

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\run.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:2840

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im wscript.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im wscript.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\run.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System32
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  PID:1044
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\what.txt

Filesize
157B

MD5
e5f22d63d0a22259cd37aafbc2c5e6d3

SHA1
d2a6eb75cf7addf54a9c4379c3a7783747db2f5e

SHA256
629d26d2d68dca1803fa1c17117c83fb5547b56a633b54f38989d135488693cf

SHA512
2524afebbc591a98a250ffe72df8efb94367ddb275df2b4347569986207f86e093e06c0291c5592c765d4c12dcc458a734067df41f01edf1c99553397976c5db

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads