ba00e6b4b561806e03e8e70b555ec2c9c9a0aedb81cd5d062842b446a955f5bd

Analysis

max time kernel
94s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 12:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

run.vbs
Size

513B
MD5

b9662bec4455bca7eaeb4d087ba7dd7f
SHA1

16d36fa0020b7d4643ed7d1adb09db7a38089163
SHA256

ba00e6b4b561806e03e8e70b555ec2c9c9a0aedb81cd5d062842b446a955f5bd
SHA512

31b3a47afc1da158bb7997586b88ebb80978651b2532db284a3032a2aefd6d5e74aab554a2cde569530e6aa982c458759ba2348854cde6133b8585b8cca2c44a

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
4092	takeown.exe
5072	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5072	icacls.exe
4092	takeown.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4092	takeown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2344	2736	WScript.exe	83
PID 2736 wrote to memory of 2344	2736	WScript.exe	83
PID 2344 wrote to memory of 4092	2344	cmd.exe	85
PID 2344 wrote to memory of 4092	2344	cmd.exe	85
PID 2344 wrote to memory of 5072	2344	cmd.exe	87
PID 2344 wrote to memory of 5072	2344	cmd.exe	87

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\run.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\drivers\* >nul && icacls C:\Windows\System32\drivers\* /grant everyone:(f) >nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers\*
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers\* /grant everyone:(f)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads