Malware Analysis Report

2025-06-16 00:04

Sample ID 241106-b7gw3asfmf
Target beyonce.vbs
SHA256 7ea54ea231eff2f7a528e8f5a853f5440acbdd9074ee2023f40e081c865d565d
Tags
ransomware discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7ea54ea231eff2f7a528e8f5a853f5440acbdd9074ee2023f40e081c865d565d

Threat Level: Shows suspicious behavior

The file beyonce.vbs was found to be: Shows suspicious behavior.

Malicious Activity Summary

ransomware discovery

Checks computer location settings

Enumerates processes with tasklist

Sets desktop wallpaper using registry

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 01:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 01:46

Reported

2024-11-06 01:49

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

Signatures

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2956 wrote to memory of 1504 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2956 wrote to memory of 1504 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2956 wrote to memory of 1504 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 2956 wrote to memory of 2144 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 01:46

Reported

2024-11-06 01:49

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\tasklist.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\System32\WScript.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1564 wrote to memory of 4424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 1564 wrote to memory of 4424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 1564 wrote to memory of 4232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 1564 wrote to memory of 4232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\rundll32.exe
PID 1564 wrote to memory of 4484 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\tasklist.exe
PID 1564 wrote to memory of 4484 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\tasklist.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters

C:\Windows\System32\tasklist.exe

tasklist

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A