ba00e6b4b561806e03e8e70b555ec2c9c9a0aedb81cd5d062842b446a955f5bd

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 12:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.vbs
Size

513B
MD5

b9662bec4455bca7eaeb4d087ba7dd7f
SHA1

16d36fa0020b7d4643ed7d1adb09db7a38089163
SHA256

ba00e6b4b561806e03e8e70b555ec2c9c9a0aedb81cd5d062842b446a955f5bd
SHA512

31b3a47afc1da158bb7997586b88ebb80978651b2532db284a3032a2aefd6d5e74aab554a2cde569530e6aa982c458759ba2348854cde6133b8585b8cca2c44a

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2260	takeown.exe
2628	icacls.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2260	takeown.exe
2628	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2260	takeown.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2368	2020	WScript.exe	30
PID 2020 wrote to memory of 2368	2020	WScript.exe	30
PID 2020 wrote to memory of 2368	2020	WScript.exe	30
PID 2368 wrote to memory of 2260	2368	cmd.exe	32
PID 2368 wrote to memory of 2260	2368	cmd.exe	32
PID 2368 wrote to memory of 2260	2368	cmd.exe	32
PID 2368 wrote to memory of 2628	2368	cmd.exe	33
PID 2368 wrote to memory of 2628	2368	cmd.exe	33
PID 2368 wrote to memory of 2628	2368	cmd.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers\* /grant everyone:(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads