Analysis
-
max time kernel
99s -
max time network
141s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/11/2024, 01:33
Static task
static1
Behavioral task
behavioral1
Sample
beyonce.vbs
Resource
win10ltsc2021-20241023-en
5 signatures
150 seconds
General
-
Target
beyonce.vbs
-
Size
4KB
-
MD5
32266bde0618e4ad40ead7106186dfe2
-
SHA1
afba2df4d46861c5853d06fbcb16c50f2d974cc6
-
SHA256
c1704a350997740dc308167a2a639137daa4a817b8c9b6336993ca0bb50bb77e
-
SHA512
1756b06fd8b376bb9f337b504f3473a2b890c4c299301f01377b9edfa53fbc2149ba15b0690f97b204b04feba780986ac86ec83f45fe5072c60306f3f6894d9e
-
SSDEEP
96:i3hIZ1dmCFIQkjtWoGzxlpJRF0Lw/aODsPQLw/LP5Lw/ELw/J:dZu07ClGzjp6Lw/aOD8QLw/L5Lw/ELwR
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation WScript.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop\Wallpaper = "https://i.imgur.com/hqqJrDz.jpg" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop\WallpaperStyle = "2" WScript.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3092 wrote to memory of 2304 3092 WScript.exe 81 PID 3092 wrote to memory of 2304 3092 WScript.exe 81 PID 3092 wrote to memory of 4108 3092 WScript.exe 82 PID 3092 wrote to memory of 4108 3092 WScript.exe 82
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\beyonce.vbs"1⤵
- Checks computer location settings
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:2304
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters2⤵PID:4108
-