cb0a1c1c80f0a657bef498f545fc7a6caba709cc16350cf354d5e3c1873993de

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/06/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

866B
MD5

9d05776bbc360594d755362f43e7d427
SHA1

4c7eab3c65c85d0b57c53f57ba2029d73b505e21
SHA256

cb0a1c1c80f0a657bef498f545fc7a6caba709cc16350cf354d5e3c1873993de
SHA512

83e4260c048d954321c3f8c23dcdc97508de5c24350d7b6d558eb791ad3603fda9b755eadfd7ed5998be6ab0185dd7d8c47ee01217db12d52abab43bec28c21b

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2484	takeown.exe
2732	icacls.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs	WScript.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2484	takeown.exe
2732	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2484	takeown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2484	1956	WScript.exe	28
PID 1956 wrote to memory of 2484	1956	WScript.exe	28
PID 1956 wrote to memory of 2484	1956	WScript.exe	28
PID 1956 wrote to memory of 2732	1956	WScript.exe	30
PID 1956 wrote to memory of 2732	1956	WScript.exe	30
PID 1956 wrote to memory of 2732	1956	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /F C:\Windows\Web /A /R
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" C:\Windows\Web /grant Administrators:F /T
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...