Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/11/2024, 01:46
Static task
static1
Behavioral task
behavioral1
Sample
beyonce.vbs
Resource
win7-20240903-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
beyonce.vbs
Resource
win10v2004-20241007-en
7 signatures
150 seconds
General
-
Target
beyonce.vbs
-
Size
3KB
-
MD5
b87ed68921df83a49fdec44bdd1f7cdc
-
SHA1
aad294e0fdd8ab5879b342fecbf5ac438956f2d1
-
SHA256
7ea54ea231eff2f7a528e8f5a853f5440acbdd9074ee2023f40e081c865d565d
-
SHA512
a105498e3a4b90449decf95763ee7a5a64b0811717ab10a6b56717c7a482b83e90bbefe86d80efd8a879ceeb063e8bb9a39100cd446ff1df8b6d897185adacf1
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation WScript.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 4484 tasklist.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallpaperStyle = "2" WScript.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4484 tasklist.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1564 wrote to memory of 4424 1564 WScript.exe 84 PID 1564 wrote to memory of 4424 1564 WScript.exe 84 PID 1564 wrote to memory of 4232 1564 WScript.exe 85 PID 1564 wrote to memory of 4232 1564 WScript.exe 85 PID 1564 wrote to memory of 4484 1564 WScript.exe 101 PID 1564 wrote to memory of 4484 1564 WScript.exe 101
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:4424
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:4232
-
-
C:\Windows\System32\tasklist.exetasklist2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4484
-