59484500d6689a0d348e98a1cebbc82890ef6f74d1d29b79f50b93044c47130a

Analysis

max time kernel
150s
max time network
160s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
01/07/2024, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.vbs
Size

138B
MD5

aa27e16196356a7a5aa78b64999218d2
SHA1

de063717be7fd93954701897c4949bb20997a385
SHA256

59484500d6689a0d348e98a1cebbc82890ef6f74d1d29b79f50b93044c47130a
SHA512

3d50ef189a59df40626f6d3ee52aeea6421fe7486d2937eec0987348637f23cf2737a0aff6832080499fca1c32a192204e555353c64851d6b1a3cbaaf3eb5f0f

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\NdisImPlatform.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb20.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\sdbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmUcsiAcpiClient.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ufx01000.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dumpsdport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\bthport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ndis.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\stream.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbccgp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\Hsp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mup.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UcmCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UevAgentDriver.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\csc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dfsc.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbGD.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\usbport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npsvctrig.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SerCx.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mountmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\errdev.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\USBXHCI.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\iagpio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ipt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mrxdav.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\npfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\amdppm.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fvevol.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rhproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rmcast.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tunnel.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\BthA2dp.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\HvService.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ntfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ramdisk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\UsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\USBSTOR.SYS	cmd.exe
File opened for modification	C:\Windows\System32\drivers\WpdUpFltr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\hidbth.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hidinterrupt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\hvcrash.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\nsiproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\serial.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\VMBusHID.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\dam.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\dmvsc.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\mausbhost.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usb8023.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\usbport.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\asyncmac.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ws2ifsl.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\modem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\bthmodem.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\cnghwassist.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\udfs.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\SMCCx.dll	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mshidumdf.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\gpuenergydrv.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\SDFRd.sys	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\InputSystemToastIcon.png	cmd.exe
File opened for modification	C:\Windows\System32\Microsoft.Bluetooth.Audio.dll	cmd.exe
File opened for modification	C:\Windows\System32\ncrypt.dll	cmd.exe
File opened for modification	C:\Windows\System32\TSSessionUX.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_860.NLS	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\NETATH~1.INF\athwnx.sys	cmd.exe
File opened for modification	C:\Windows\System32\en-US\webservices.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\sppsvc.exe	cmd.exe
File opened for modification	C:\Windows\System32\wbem\WdacWmiProv_Uninstall.mof	cmd.exe
File opened for modification	C:\Windows\System32\zh-TW\comctl32.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\colbact.dll	cmd.exe
File opened for modification	C:\Windows\System32\en-US\mprext.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\TabletPC.cpl.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\fms.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\refs.mof	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\block.xsd	cmd.exe
File opened for modification	C:\Windows\System32\chgport.exe	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_04b60d124553a40f\rndiscmp.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\XBOXGI~2.INF\xboxgip.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\lsi_sas2i.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\iernonce.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\pnputil.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\perfos.dll	cmd.exe
File opened for modification	C:\Windows\System32\dmpushproxy.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_96c98ac9a8367757\BTHPRINT.SYS	cmd.exe
File opened for modification	C:\Windows\System32\fdWNet.dll	cmd.exe
File opened for modification	C:\Windows\System32\MixedRealityRuntime.json	cmd.exe
File opened for modification	C:\Windows\System32\oobe\msoobeFirstLogonAnim.dll	cmd.exe
File opened for modification	C:\Windows\System32\pcbp.rs	cmd.exe
File opened for modification	C:\Windows\System32\ttdrecordcpu.dll	cmd.exe
File opened for modification	C:\Windows\System32\C_20108.NLS	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\PRNMS0~4.INF\Amd64\MSXPS2-manifest.ini	cmd.exe
File opened for modification	C:\Windows\System32\en-US\reagentc.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\dot3dlg.dll	cmd.exe
File opened for modification	C:\Windows\System32\HelpPaneProxy.dll	cmd.exe
File opened for modification	C:\Windows\System32\dafBth.dll	cmd.exe
File opened for modification	C:\Windows\System32\he-IL\windows.ui.xaml.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\spool\tools\Microsoft XPS Document Writer\prnms001.cat	cmd.exe
File opened for modification	C:\Windows\System32\kd_02_1137.dll	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\PROFES~1\Professional-OEM-DM-6-ul-store-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\winevt\Logs\MI8607~1.EVT	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_2501111c1a47968b\serial.sys	cmd.exe
File opened for modification	C:\Windows\System32\F12\F12Script.dll	cmd.exe
File opened for modification	C:\Windows\System32\fi-FI\Windows.Management.SecureAssessment.Diagnostics.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\KBDGN.DLL	cmd.exe
File opened for modification	C:\Windows\System32\downlevel\api-ms-win-core-sysinfo-l1-1-0.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\nett4x64.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmx5560.inf_amd64_8391bede4d460fad\mdmx5560.inf	cmd.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\MSFT_ArchiveResource.psm1	cmd.exe
File opened for modification	C:\Windows\System32\en-US\AuthExt.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\kbdgeome.dll	cmd.exe
File opened for modification	C:\Windows\System32\windows.applicationmodel.conversationalagent.internal.proxystub.dll	cmd.exe
File opened for modification	C:\Windows\System32\Speech_OneCore\common\en-US\VES-Select.0409.grxml	cmd.exe
File opened for modification	C:\Windows\System32\wbem\netdacim.mof	cmd.exe
File opened for modification	C:\Windows\System32\en-US\hnetcfg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\openfiles.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\qprocess.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\WPDShextAutoplay.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\quickassist.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ksproxy.ax	cmd.exe
File opened for modification	C:\Windows\System32\spp\tokens\skus\EDUCAT~1\Education-Volume-CSVLK-6-ul-store-rtm.xrm-ms	cmd.exe
File opened for modification	C:\Windows\System32\ChsStrokeDS.dll	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_smartcard.inf_amd64_728ea9152ab48d0b\c_smartcard.inf	cmd.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mshidkmdf.inf_amd64_d55bad1fa4b303c5\mshidkmdf.inf	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "191"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
384	Process not Found
1160	Process not Found
3532	Process not Found
5008	Process not Found
4404	Process not Found
3868	Process not Found
4944	Process not Found
4160	Process not Found
4064	Process not Found
4364	Process not Found
2304	Process not Found
2132	Process not Found
2568	Process not Found
1504	Process not Found
784	Process not Found
3912	Process not Found
2484	Process not Found
4532	Process not Found
756	Process not Found
1984	Process not Found
3288	Process not Found
2576	Process not Found
4396	Process not Found
2480	Process not Found
3348	Process not Found
4744	Process not Found
1804	Process not Found
1624	Process not Found
2964	Process not Found
3336	Process not Found
4580	Process not Found
2400	Process not Found
2844	Process not Found
4812	Process not Found
3584	Process not Found
4900	Process not Found
3644	Process not Found
3452	Process not Found
2056	Process not Found
1152	Process not Found
2788	Process not Found
1664	Process not Found
4476	Process not Found
1360	Process not Found
3428	Process not Found
3000	Process not Found
1820	Process not Found
1960	Process not Found
1208	Process not Found
2096	Process not Found
2284	Process not Found
5048	Process not Found
3852	Process not Found
2452	Process not Found
2080	Process not Found
3032	Process not Found
4736	Process not Found
2424	Process not Found
4972	Process not Found
1116	Process not Found
1844	Process not Found
2572	Process not Found
5084	Process not Found
2068	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
996	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 4668	1896	WScript.exe	77
PID 1896 wrote to memory of 4668	1896	WScript.exe	77
PID 1896 wrote to memory of 5016	1896	WScript.exe	79
PID 1896 wrote to memory of 5016	1896	WScript.exe	79
PID 5016 wrote to memory of 820	5016	cmd.exe	81
PID 5016 wrote to memory of 820	5016	cmd.exe	81

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System32
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Modifies termsrv.dll
  PID:4668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c shutdown -l
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\shutdown.exe
    shutdown -l
    3⤵
    PID:820

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a08855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...