Analysis
-
max time kernel
42s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 08:48
Static task
static1
Behavioral task
behavioral1
Sample
run.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
run.vbs
Resource
win10v2004-20240611-en
General
-
Target
run.vbs
-
Size
272B
-
MD5
46c5d7837d0f3b90e0844cd3a236b31b
-
SHA1
ddd1c7011dc3d966ba75ede6bc1956d20f787ebd
-
SHA256
6eec9a6b40d0c5544d0525db2247d88f780751a5af6ca929bb6757e8ca28f25c
-
SHA512
f89be3de8d250e7a4626d0a55b82ff2e11e78e29f31746e04b67f8e7a073862d4febfab0771367d7c058b9726d078b9987faa890b8aec50e5b019f5ad71ad638
Malware Config
Signatures
-
Drops file in Drivers directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\en-US\pcmcia.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pnpmem.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\luafv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\idtsec.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\SMCCx.dll cmd.exe File opened for modification C:\Windows\System32\drivers\wcifs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\bthport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\BTHUSB.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\dumpsd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fastfat.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mmcss.sys cmd.exe File opened for modification C:\Windows\System32\drivers\parport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rmcast.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Acx01000.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mssmbios.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\refs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\SDFLauncher.dll cmd.exe File opened for modification C:\Windows\System32\drivers\usbohci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\hidbatt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\portcls.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\wudfpf.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\rassstp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdpvideominiport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\winhv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\winnat.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\volsnap.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\gpuenergydrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\vmstorfl.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\null.sys cmd.exe File opened for modification C:\Windows\System32\drivers\USBHUB3.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\hvservice.sys cmd.exe File opened for modification C:\Windows\System32\drivers\sdstor.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\wacompen.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\usb8023.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbaudio2.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vmgid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rteth.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\mgtdyn.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\synth3dvsc.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\acpi.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mrxdav.sys cmd.exe File opened for modification C:\Windows\System32\drivers\NdisVirtualBus.sys cmd.exe File opened for modification C:\Windows\System32\drivers\CEA.sys cmd.exe File opened for modification C:\Windows\System32\drivers\udfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\KNetPwrDepBroker.sys cmd.exe File opened for modification C:\Windows\System32\drivers\raspptp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\hidclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pacer.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tpm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\circlass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ndisuio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\hidscanner.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\bthport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\hidclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\UsbccidDriver.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\cng.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\iorate.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\hidspi.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mssmbios.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\YCWFUU~1.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\luafv.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\msgpiowin32.sys cmd.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll cmd.exe File opened for modification C:\Windows\System32\wintrust.dll cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3584 takeown.exe 1452 icacls.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3584 takeown.exe 1452 icacls.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\en-US\TransferCable.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\fhsvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\dsreg.dll.mui cmd.exe File opened for modification C:\Windows\System32\PhoneutilRes.dll cmd.exe File opened for modification C:\Windows\System32\es-ES\pwlauncher.exe.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\secinit.exe.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\baaupdate.exe.mui cmd.exe File opened for modification C:\Windows\System32\keyiso.dll cmd.exe File opened for modification C:\Windows\System32\ngctasks.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netmlx5.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\reagentc.exe.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\WebcamUi.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\netcfgx.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\QuietHours.dll.mui cmd.exe File opened for modification C:\Windows\System32\migwiz\dlmanifests\odbc32dll-DL.man cmd.exe File opened for modification C:\Windows\System32\nl-NL\Windows.Media.Speech.UXRes.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\lfsvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\msra.exe.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\ts_generic.inf_loc cmd.exe File opened for modification C:\Windows\System32\fidocredprov.dll cmd.exe File opened for modification C:\Windows\System32\ja-jp\vds.exe.mui cmd.exe File opened for modification C:\Windows\System32\wow64.dll cmd.exe File opened for modification C:\Windows\System32\winevt\Logs\MI7709~1.EVT cmd.exe File opened for modification C:\Windows\System32\C_869.NLS cmd.exe File opened for modification C:\Windows\System32\de-DE\icsigd.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\tpmvsc.inf_loc cmd.exe File opened for modification C:\Windows\System32\es-ES\rpcrt4.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\searchfolder.dll.mui cmd.exe File opened for modification C:\Windows\System32\migwiz\replacementmanifests\volsnap-repl.man cmd.exe File opened for modification C:\Windows\System32\windows.applicationmodel.conversationalagent.internal.proxystub.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\de-DE\wfcvsc.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\msmouse.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\b57nd60a.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\wusa.exe.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\AuditNativeSnapIn.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\WfHC.dll.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\advpack.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\TetheringStation.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\twinui.pcshell.dll.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\localui.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\wlidcli.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\mdmgen.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\c_camera.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\wpdmtp.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\PlayToManager.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\EhStorAuthn.exe.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\ptpprov.dll.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\rshx32.dll.mui cmd.exe File opened for modification C:\Windows\System32\Dism\es-ES\OfflineSetupProvider.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\drprov.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\mshta.exe.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\auditpol.exe.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\mycomput.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\hgcpl.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\c_ucm.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\BASICR~2.INF\BasicRender.sys cmd.exe File opened for modification C:\Windows\System32\en-US\urlmon.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\ContentDeliveryManager.Utilities.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\webauthn.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\iassvcs.dll.mui cmd.exe File opened for modification C:\Windows\System32\wlidcli.dll cmd.exe File opened for modification C:\Windows\System32\migwiz\SFLISTRS1.dat cmd.exe File opened for modification C:\Windows\System32\de-DE\DevicePairing.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\mwlu97w8x64.inf_loc cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\termsrv.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.execmd.execmd.exedescription pid process target process PID 4036 wrote to memory of 2440 4036 WScript.exe cmd.exe PID 4036 wrote to memory of 2440 4036 WScript.exe cmd.exe PID 2440 wrote to memory of 3584 2440 cmd.exe takeown.exe PID 2440 wrote to memory of 3584 2440 cmd.exe takeown.exe PID 4036 wrote to memory of 4296 4036 WScript.exe cmd.exe PID 4036 wrote to memory of 4296 4036 WScript.exe cmd.exe PID 4296 wrote to memory of 1452 4296 cmd.exe icacls.exe PID 4296 wrote to memory of 1452 4296 cmd.exe icacls.exe PID 4036 wrote to memory of 2220 4036 WScript.exe cmd.exe PID 4036 wrote to memory of 2220 4036 WScript.exe cmd.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /F C:\example\ /R2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /F C:\example\ /R3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\* /grant NT SERVICE\TrustedInstaller:(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\* /grant NT SERVICE\TrustedInstaller:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd/s/q C:\Windows\System322⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll