Malware Analysis Report

2024-11-16 12:48

Sample ID 240809-zbp5kaxglr
Target script.vbs
SHA256 372094655b512390af8075e8289d17fde782792cbc5218a47747cf469c6c9ba2
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

372094655b512390af8075e8289d17fde782792cbc5218a47747cf469c6c9ba2

Threat Level: Likely malicious

The file script.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 20:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 20:32

Reported

2024-08-09 20:35

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2908 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2908 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1964 wrote to memory of 2908 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2908 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2908 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2908 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2908 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2908 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2908 wrote to memory of 2092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\* && icacls C:\Windows\System32\drivers\* /grant Everyone:(F) && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\* /grant Everyone:(F)

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 20:32

Reported

2024-08-09 20:35

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4624 wrote to memory of 4656 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4624 wrote to memory of 4656 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4656 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4656 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4656 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4656 wrote to memory of 2356 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\* && icacls C:\Windows\System32\drivers\* /grant Everyone:(F) && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\drivers\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\drivers\* /grant Everyone:(F)

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A