01b436f78149b54284feac5ef787aa7af890658ca6eac0ec41aab9f5680f82fb

Analysis

max time kernel
3s
max time network
9s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 15:49

Reason

Machine shutdown

Target

script.vbs
Size

155B
MD5

b9d9a23816c12bf8ea5933c7313f1d04
SHA1

388172d957ee9065596f9f2a31f99b146cd5aab1
SHA256

01b436f78149b54284feac5ef787aa7af890658ca6eac0ec41aab9f5680f82fb
SHA512

e7ef2063b33b1f7d6fbbdbb74dbf6bb01ca0bba99ab5b1a0867503e03638200c7f17c90cada9854d1253d11541666424b28874ea53caef9c1142bbf86f109a28

Score

1^/10

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2700	shutdown.exe
Token: SeRemoteShutdownPrivilege	2700	shutdown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2220	3048	WScript.exe	28
PID 3048 wrote to memory of 2220	3048	WScript.exe	28
PID 3048 wrote to memory of 2220	3048	WScript.exe	28
PID 2220 wrote to memory of 2700	2220	cmd.exe	30
PID 2220 wrote to memory of 2700	2220	cmd.exe	30
PID 2220 wrote to memory of 2700	2220	cmd.exe	30

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo reg delete HKCR /f >> C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\death.bat && shutdown /r /t 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\system32\shutdown.exe
    shutdown /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2700

memory/2052-1-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2488-2-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download