cb0a1c1c80f0a657bef498f545fc7a6caba709cc16350cf354d5e3c1873993de

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

866B
MD5

9d05776bbc360594d755362f43e7d427
SHA1

4c7eab3c65c85d0b57c53f57ba2029d73b505e21
SHA256

cb0a1c1c80f0a657bef498f545fc7a6caba709cc16350cf354d5e3c1873993de
SHA512

83e4260c048d954321c3f8c23dcdc97508de5c24350d7b6d558eb791ad3603fda9b755eadfd7ed5998be6ab0185dd7d8c47ee01217db12d52abab43bec28c21b

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3244	takeown.exe
4616	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\startup.vbs	WScript.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3244	takeown.exe
4616	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3244	takeown.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 3244	2844	WScript.exe	81
PID 2844 wrote to memory of 3244	2844	WScript.exe	81
PID 2844 wrote to memory of 4616	2844	WScript.exe	83
PID 2844 wrote to memory of 4616	2844	WScript.exe	83

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /F C:\Windows\Web /A /R
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\System32\icacls.exe
  "C:\Windows\System32\icacls.exe" C:\Windows\Web /grant Administrators:F /T
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads