34a7925bc11164c53c522a1c1ad13656fc4263cab5175c2be619fc8b885f2560

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 16:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

trigger.vbs
Size

1KB
MD5

4e5ad81f64bea5c1cdbf649ee98c95e8
SHA1

3f632b8a4f2f6e174bcd1754cad5616e6db5eb3b
SHA256

34a7925bc11164c53c522a1c1ad13656fc4263cab5175c2be619fc8b885f2560
SHA512

160c91906437d2a2fb6f10c2fef625ffde335b78be56f61c83cd5a826f0d27e87048ad8f4e312708d27d1410f33dea212891d2768ad57b4399e8dd24687f2b42

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1740	takeown.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2760	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1740	2124	WScript.exe	30
PID 2124 wrote to memory of 1740	2124	WScript.exe	30
PID 2124 wrote to memory of 1740	2124	WScript.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trigger.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\System32\takeown.exe
  "C:\Windows\System32\takeown.exe" /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)
  2⤵
  - Modifies file permissions
  PID:1740

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\log.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\log.txt

Filesize
864KB

MD5
01855adc972708963105439b71c99b6a

SHA1
d4eb1913fb9b5bc6adcc6c524734f2b1c2d10117

SHA256
c8b887994ebfeb2a12f4773e2ed701a235c078d26ef6b21b2e9afba7ab578534

SHA512
214c5c6692d8acbf8bc22e4d7f6995d8aa7c13d7d4dee58743bc7b5aa16e6b52599c937ed33f060ff52c87f453e7e85fb54cab94d2b8602db215fe66002a3290

Download Submit