a7ef2888a56f4f9b2c957b794998169df566dcc5610f675c54609b89ee31f98b

Analysis

max time kernel
46s
max time network
47s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Your pc is hacked.vbs
Size

1007B
MD5

febb56298189dc506b75b1969349f424
SHA1

848405f1fd01c5c9ec0305222c988c2e22c9ef64
SHA256

a7ef2888a56f4f9b2c957b794998169df566dcc5610f675c54609b89ee31f98b
SHA512

94829a7052c41d469dc240bdb0e91ded80f5c8a34789e4d276fb29e5a3f3ad608f77aa09f826bffd437a6e76eb1490108f847ac944741d5a366c7218fbc1d6a9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2084	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeShutdownPrivilege	1628	shutdown.exe
Token: SeRemoteShutdownPrivilege	1628	shutdown.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2592	2224	WScript.exe	29
PID 2224 wrote to memory of 2592	2224	WScript.exe	29
PID 2224 wrote to memory of 2592	2224	WScript.exe	29
PID 2224 wrote to memory of 2084	2224	WScript.exe	30
PID 2224 wrote to memory of 2084	2224	WScript.exe	30
PID 2224 wrote to memory of 2084	2224	WScript.exe	30
PID 2224 wrote to memory of 1628	2224	WScript.exe	33
PID 2224 wrote to memory of 1628	2224	WScript.exe	33
PID 2224 wrote to memory of 1628	2224	WScript.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Your pc is hacked.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2592
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /F /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -s -t 30 -f -m \\
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1628

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:3036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2808

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-4-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/2808-3-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download