Analysis
-
max time kernel
97s -
max time network
142s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/11/2024, 01:38
Static task
static1
Behavioral task
behavioral1
Sample
beyonce.vbs
Resource
win10ltsc2021-20241023-en
5 signatures
150 seconds
General
-
Target
beyonce.vbs
-
Size
4KB
-
MD5
86a86e6f0023106b7d15454ecb169a9c
-
SHA1
4852891fcfe17e329a414ba499857bad58ea1390
-
SHA256
cc2b4b22bb31840a7cc03131f125705d6e8ab31fea859767c7918afe436b3991
-
SHA512
3a76aabfe300bf0ab8539d5710a3d320c5c6f80628121e4505721f836f3c0cd96cd518d1d6fb016383b439a937b09a8c67822c3a22d0a7e37ec21a9f4d2d88a3
-
SSDEEP
96:i3hIZ1dmCFIQkjtWoGzxlpJRF06/5xODsPQ6/X2P56/5l6/5a:dZu07ClGzjp66/bOD8Q6/q56/b6/w
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation WScript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\Desktop\WallpaperStyle = "2" WScript.exe Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\Desktop WScript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2296 wrote to memory of 4404 2296 WScript.exe 81 PID 2296 wrote to memory of 4404 2296 WScript.exe 81 PID 2296 wrote to memory of 1132 2296 WScript.exe 82 PID 2296 wrote to memory of 1132 2296 WScript.exe 82
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:4404
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:1132
-