Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/11/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
beyonce.vbs
Resource
win7-20240903-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
beyonce.vbs
Resource
win10v2004-20241007-en
7 signatures
150 seconds
General
-
Target
beyonce.vbs
-
Size
3KB
-
MD5
b87ed68921df83a49fdec44bdd1f7cdc
-
SHA1
aad294e0fdd8ab5879b342fecbf5ac438956f2d1
-
SHA256
7ea54ea231eff2f7a528e8f5a853f5440acbdd9074ee2023f40e081c865d565d
-
SHA512
a105498e3a4b90449decf95763ee7a5a64b0811717ab10a6b56717c7a482b83e90bbefe86d80efd8a879ceeb063e8bb9a39100cd446ff1df8b6d897185adacf1
Score
5/10
Malware Config
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" WScript.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2956 wrote to memory of 1504 2956 WScript.exe 30 PID 2956 wrote to memory of 1504 2956 WScript.exe 30 PID 2956 wrote to memory of 1504 2956 WScript.exe 30 PID 2956 wrote to memory of 2144 2956 WScript.exe 31 PID 2956 wrote to memory of 2144 2956 WScript.exe 31 PID 2956 wrote to memory of 2144 2956 WScript.exe 31
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:1504
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:2144
-