Overview

overview

10

Static

static

10

taskbroker.vbs

windows7-x64

10

taskbroker.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    taskbroker.vbs

  • Size

    3KB

  • MD5

    ec056bdc0223f3f5df9ae591cba9b24c

  • SHA1

    0f1688d29ef4d471664e5091b378250b3bea2805

  • SHA256

    af65072fd228a47cc3e8a8d1461688c1b53c2ec91949b472decba4d97289253b

  • SHA512

    2e0ae2af69b93cd6dd27aab7d8a04f02db6b2dc7a47d50e1ee9e91cd5461733bb8176dd0ed696ecb77a7514541db7449eacf43d07a933c8c8e0c82897eff0ac4

Score
10/10
defense_evasionevasionexecutiontrojan

Malware Config

Signatures

  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 2 IoCs
    defense_evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\taskbroker.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\taskbroker.vbs" /elevate
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • Modifies Windows Defender Real-time Protection settings
      • Modifies security service
      • UAC bypass
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4024
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableBehaviorMonitoring $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableBlockAtFirstSeen $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableIOAVProtection $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4336
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableScriptScanning $true
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5248
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -MAPSReporting 0
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -HighThreatDefaultAction 6 -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ModerateThreatDefaultAction 6
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5244
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -LowThreatDefaultAction 6
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -SevereThreatDefaultAction 6
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2024
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\taskbroker.vbs"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    440cb38dbee06645cc8b74d51f6e5f71

    SHA1

    d7e61da91dc4502e9ae83281b88c1e48584edb7c

    SHA256

    8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

    SHA512

    3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    c3f96ff9253f0d2c84205d336c5d247f

    SHA1

    4de76a4a40e3a9fb16365092d8303810d749740c

    SHA256

    97598528acc8c97b5ea6989b26791be6fa127a8687fc439e85ae74bf08ff591b

    SHA512

    0cab9b99b04764e2f9a4f8ad4c05cea6067181bc49a6a23133d5aa7af8aa1a866a91b2bc2780cbec196a398cc02c0214da619db813675ab7d1cabcec459b17be

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3a1e48b8d7963bbbb73f442cd864dca3

    SHA1

    7f71e6af810a734d5f6a0c3ba90c171442e7e334

    SHA256

    33f70a94f53d11ebf2ea52debe0eb6afd7b30a095b31e784b0d4a0fb42b708e9

    SHA512

    26599ce4722f735e1b19f8b68d82318978d577245530e23f5445330dbccb395ffff4e6c4020cdeada5b179b94b557a3e093c2dbe5606b1b6956c1f73a91f637e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    7cfa57226f15f18e8c29720a8a6efc8b

    SHA1

    fef3b41b9715cd37a0bb9ab323fc9aa62158d55b

    SHA256

    53d11cfbf4bbedac6a4963cbe63d8f500f1cfd159e1b9c24149c855d3be188eb

    SHA512

    d6ea186fa684b2ca04eb5d9292a5d60b4d22f03205eb0bbe51c8715e1312e2179bc6da60c7763cb7663cd967fc761b9bd8d9949b009e2e6cba51883a167d1820

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3c9a06205efb4ec6b1ca25ba605f9f6d

    SHA1

    53f4cbc7a0b1f493e53f99d49c08c56c2ac912f8

    SHA256

    4ef4ffb0f743afc2ee1bb8edcc10ec450439a82dbbbb9cbdebeee633db4cc61a

    SHA512

    e936041f7fe2278a939290bc2b5409a01ae070abc58df4e4bb938e4a406d0c96b19a1fa4db21b9f158efcfbe956f3ddbd97cb670215f2d6f2c1328fa4e455657

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    464cf02cd49aa9420e1082185e84cbab

    SHA1

    de71a170b822d47d11a730ed7a30e45a5e2a5417

    SHA256

    a869e91afc62e60faa9e821e13878a4168907ef24aeed387a3210d69dafba24f

    SHA512

    2f2e69f5eb2d9797f12df6334b98f8371341ae8b32f82ac94ec3b63df2e3d8876e5d9b437e4da1d47ef7a2e658de3e8cf1a0e920001ddc7852abc8311c540de7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    dc0eb1839781c4bed27d3b94a4f3fc88

    SHA1

    40432a27ea09d935efa2d769464b8f687a36af14

    SHA256

    c76800855c49d5639d1ab7bbf105c0ea8eb9a1003aa2ad9656fa57357e47f53d

    SHA512

    06ad9fab6f49d07cef550078cca0c0a40013c9282deb0c46c66bbe1b4dde8207e42c23451818ab04aab3427063bd41a7c8ea852884dee2ddaf123e8d4cf089dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    71cdb73c7c3f9afb583325202d7c694d

    SHA1

    90e0ffe7befb2e5d5a68344af16b11e4fb7b5b34

    SHA256

    09d509d211999bc9618a882e9419acaf8be4c374be966811de1ea3670f0f4423

    SHA512

    a7862c83d31d19f49da1d77cd3f37abe6e9bb72063c07f582153646160d20fed96e7e6b152d49799ecdf63c418bf3d88b6d5ed1c98b232827b36dcdac69694bc

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d6452a08450cbc7937391fb1cd347862

    SHA1

    06550d5827db311a66b155cb0a54fbbf873f9e07

    SHA256

    ec2084784cb8d7fda0d6fcd8b4394b62a2c153b41e96970829ab0fe6414bbfd1

    SHA512

    704ebf95c50ef1529357dfe659ab6d25cf57ee4fbaac66e7feda1112c5d3821f772066e195870fba165b60020037eaca9822a70156628303c5f11b8134b31470

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dfy1kcyy.zdf.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1476-133-0x000001BD72B20000-0x000001BD72D3C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2024-145-0x000001B66FA90000-0x000001B66FCAC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2152-115-0x000001C6BA6E0000-0x000001C6BA8FC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2284-111-0x0000020CCE2C0000-0x0000020CCE4DC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2296-121-0x000001CD771F0000-0x000001CD7740C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4024-118-0x000001F8D5FB0000-0x000001F8D61CC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4024-9-0x000001F8BDE70000-0x000001F8BDE92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4336-124-0x0000014A4D890000-0x0000014A4DAAC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4780-136-0x0000028CE31B0000-0x0000028CE33CC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5208-129-0x0000025771320000-0x000002577153C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5244-139-0x000001D67F5F0000-0x000001D67F80C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5248-130-0x00000213C8BA0000-0x00000213C8DBC000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5672-144-0x000001E57E040000-0x000001E57E25C000-memory.dmp

    Filesize

    2.1MB

    Download