Malware Analysis Report

2025-06-16 00:04

Sample ID 241106-b5gtaatblk
Target beyonce.vbs
SHA256 72ad164331447ec764eb7e49e092b87bb32288b7bf8e9482cc273a056b1b33f5
Tags
ransomware
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

72ad164331447ec764eb7e49e092b87bb32288b7bf8e9482cc273a056b1b33f5

Threat Level: Shows suspicious behavior

The file beyonce.vbs was found to be: Shows suspicious behavior.

Malicious Activity Summary

ransomware

Checks computer location settings

Sets desktop wallpaper using registry

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 01:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 01:43

Reported

2024-11-06 01:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

Signatures

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 588 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2124 wrote to memory of 588 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2124 wrote to memory of 588 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2124 wrote to memory of 572 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2124 wrote to memory of 572 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2124 wrote to memory of 572 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 01:43

Reported

2024-11-06 01:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 3552 wrote to memory of 2972 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 3552 wrote to memory of 4628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 3552 wrote to memory of 4628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A