Analysis Overview
SHA256
7ea54ea231eff2f7a528e8f5a853f5440acbdd9074ee2023f40e081c865d565d
Threat Level: Shows suspicious behavior
The file beyonce.vbs was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Enumerates processes with tasklist
Sets desktop wallpaper using registry
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies Control Panel
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 01:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 01:46
Reported
2024-11-06 01:49
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 1504 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 2956 wrote to memory of 1504 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 2956 wrote to memory of 1504 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 2956 wrote to memory of 2144 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 2956 wrote to memory of 2144 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 2956 wrote to memory of 2144 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 01:46
Reported
2024-11-06 01:49
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\tasklist.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1564 wrote to memory of 4424 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 1564 wrote to memory of 4424 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 1564 wrote to memory of 4232 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 1564 wrote to memory of 4232 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\rundll32.exe |
| PID 1564 wrote to memory of 4484 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\tasklist.exe |
| PID 1564 wrote to memory of 4484 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\tasklist.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
C:\Windows\System32\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |