Overview

overview

8

Static

static

1

run.vbs

windows7-x64

8

run.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    42s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2024 08:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    run.vbs

  • Size

    272B

  • MD5

    46c5d7837d0f3b90e0844cd3a236b31b

  • SHA1

    ddd1c7011dc3d966ba75ede6bc1956d20f787ebd

  • SHA256

    6eec9a6b40d0c5544d0525db2247d88f780751a5af6ca929bb6757e8ca28f25c

  • SHA512

    f89be3de8d250e7a4626d0a55b82ff2e11e78e29f31746e04b67f8e7a073862d4febfab0771367d7c058b9726d078b9987faa890b8aec50e5b019f5ad71ad638

Score
8/10
discoveryexploitpersistence

Malware Config

Signatures

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

    Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Drops file in System32 directory 64 IoCs
  • Modifies termsrv.dll 1 TTPs 1 IoCs

    Commonly used to allow simultaneous RDP sessions.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /F C:\example\ /R
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\system32\takeown.exe
        takeown /F C:\example\ /R
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3584
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\* /grant NT SERVICE\TrustedInstaller:(F)
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\* /grant NT SERVICE\TrustedInstaller:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1452
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System32
      2⤵
      • Drops file in Drivers directory
      • Manipulates Digital Signatures
      • Boot or Logon Autostart Execution: Print Processors
      • Drops file in System32 directory
      • Modifies termsrv.dll
      PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Print Processors

1
T1547.012

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Print Processors

1
T1547.012

Defense Evasion

File and Directory Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Remote Services

1
T1021

Remote Desktop Protocol

1
T1021.001

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads