5218ed9598e05be41fc39d056e038c1a6fb054444ee3c5e8e54714ce1d258448

General

Target

111.90.151.174_7777__destroy.bat
Size

2KB
MD5

584db4d4d5e53b628193790c77f84d58
SHA1

ba7c740867ad6184e9971735cc6d1bedf1443078
SHA256

5218ed9598e05be41fc39d056e038c1a6fb054444ee3c5e8e54714ce1d258448
SHA512

05f5e8185714f068c0f804095867e1d875c0f970f61078f3f42effae565baf7a507daf841037df777745882901af74f40e18ade08f743ad368cb2b18c0eced6e

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 26 IoCs

exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid	process
1960	takeown.exe
572	icacls.exe
1452	takeown.exe
1428	icacls.exe
1016	icacls.exe
1648	takeown.exe
464	icacls.exe
2004	icacls.exe
456	takeown.exe
1276	icacls.exe
1896	takeown.exe
1516	takeown.exe
1612	icacls.exe
964	takeown.exe
1976	takeown.exe
664	icacls.exe
1732	icacls.exe
580	icacls.exe
1768	takeown.exe
1196	icacls.exe
1152	takeown.exe
1912	takeown.exe
1816	takeown.exe
1632	icacls.exe
1564	takeown.exe
1520	icacls.exe

Modifies file permissions 1 TTPs 26 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
964	takeown.exe
664	icacls.exe
1816	takeown.exe
1732	icacls.exe
456	takeown.exe
1768	takeown.exe
1196	icacls.exe
1976	takeown.exe
1648	takeown.exe
1960	takeown.exe
1428	icacls.exe
1016	icacls.exe
1632	icacls.exe
1564	takeown.exe
1520	icacls.exe
1152	takeown.exe
580	icacls.exe
1276	icacls.exe
1896	takeown.exe
572	icacls.exe
1452	takeown.exe
1516	takeown.exe
1612	icacls.exe
2004	icacls.exe
1912	takeown.exe
464	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1960	takeown.exe
Token: SeTakeOwnershipPrivilege	456	takeown.exe
Token: SeTakeOwnershipPrivilege	1768	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe
Token: SeTakeOwnershipPrivilege	1452	takeown.exe
Token: SeTakeOwnershipPrivilege	1152	takeown.exe
Token: SeTakeOwnershipPrivilege	964	takeown.exe
Token: SeTakeOwnershipPrivilege	1976	takeown.exe
Token: SeTakeOwnershipPrivilege	1912	takeown.exe
Token: SeTakeOwnershipPrivilege	1816	takeown.exe
Token: SeTakeOwnershipPrivilege	1648	takeown.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 940	2032	cmd.exe	cmd.exe
PID 2032 wrote to memory of 940	2032	cmd.exe	cmd.exe
PID 2032 wrote to memory of 940	2032	cmd.exe	cmd.exe
PID 940 wrote to memory of 1960	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1960	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1960	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1732	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1732	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1732	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1204	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 1204	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 1204	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 1224	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 1224	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 1224	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 520	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 520	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 520	940	cmd.exe	ReAgentc.exe
PID 940 wrote to memory of 456	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 456	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 456	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 580	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 580	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 580	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1768	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1768	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1768	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1276	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1276	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1276	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1896	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1896	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1896	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 572	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 572	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 572	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1452	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1452	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1452	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1196	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1196	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1196	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1516	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1516	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1516	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1612	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1612	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1612	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1152	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1152	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1152	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1428	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1428	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1428	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 964	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 964	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 964	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1016	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1016	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1016	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 1976	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1976	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 1976	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 2004	940	cmd.exe	icacls.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat" MY_FLAG
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\rstrui.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\rstrui.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1732

C:\Windows\System32\ReAgentc.exe
REAGENTC.EXE /disable
3⤵
- Drops file in System32 directory
PID:1204

C:\Windows\System32\ReAgentc.exe
REAGENTC.EXE /disable /logpath C:\Temp\Reagent.log
3⤵
PID:1224

C:\Windows\System32\ReAgentc.exe
REAGENTC.EXE /disable /logpath C:\Windows\Logs\Reagent
3⤵
PID:520

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\System32\ReAgentc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\System32\ReAgentc.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:580

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\Logs\ReAgent\ReAgent.log"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\Logs\ReAgent\ReAgent.log" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1276

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\Logs\WinREAgent\diagerr.xml"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\Logs\WinREAgent\diagerr.xml" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:572

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\Logs\WinREAgent\diagwrn.xml"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1196

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.xml"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1612

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\ReAgent.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1428

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\ReAgentTask.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\ReAgentTask.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1016

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recdisc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recdisc.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recovery.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recovery.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:664

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:464

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\RecoveryDrive.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\RecoveryDrive.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Recovery\ReAgent.xml
Filesize
734B

MD5
b90c609e64f6a5085e95e94908131e2f

SHA1
e267458cdcd8ba084bb23189c9c3569a2b912090

SHA256
95751ac34cdf3796244ea6298c6a53eb10a1a54faf5fcb0ff1b857e3e90b97f6

SHA512
19a240ea24c53ac5027ad878d4c4cf375fdd5a70685c659100aab1ccba301052d1a2fc199c0bb5bc1b7ab32813e8ce5270419cb9974457a197633d701b3726fa

Download Submit
memory/456-63-0x0000000000000000-mapping.dmp

Download
memory/464-85-0x0000000000000000-mapping.dmp

Download
memory/520-61-0x0000000000000000-mapping.dmp

Download
memory/572-68-0x0000000000000000-mapping.dmp

Download
memory/580-64-0x0000000000000000-mapping.dmp

Download
memory/664-81-0x0000000000000000-mapping.dmp

Download
memory/940-54-0x0000000000000000-mapping.dmp

Download
memory/964-76-0x0000000000000000-mapping.dmp

Download
memory/1016-77-0x0000000000000000-mapping.dmp

Download
memory/1152-74-0x0000000000000000-mapping.dmp

Download
memory/1196-70-0x0000000000000000-mapping.dmp

Download
memory/1204-57-0x0000000000000000-mapping.dmp

Download
memory/1204-58-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1224-59-0x0000000000000000-mapping.dmp

Download
memory/1276-66-0x0000000000000000-mapping.dmp

Download
memory/1428-75-0x0000000000000000-mapping.dmp

Download
memory/1452-69-0x0000000000000000-mapping.dmp

Download
memory/1516-71-0x0000000000000000-mapping.dmp

Download
memory/1520-87-0x0000000000000000-mapping.dmp

Download
memory/1564-86-0x0000000000000000-mapping.dmp

Download
memory/1612-73-0x0000000000000000-mapping.dmp

Download
memory/1632-83-0x0000000000000000-mapping.dmp

Download
memory/1648-84-0x0000000000000000-mapping.dmp

Download
memory/1732-56-0x0000000000000000-mapping.dmp

Download
memory/1768-65-0x0000000000000000-mapping.dmp

Download
memory/1816-82-0x0000000000000000-mapping.dmp

Download
memory/1896-67-0x0000000000000000-mapping.dmp

Download
memory/1912-80-0x0000000000000000-mapping.dmp

Download
memory/1960-55-0x0000000000000000-mapping.dmp

Download
memory/1976-78-0x0000000000000000-mapping.dmp

Download
memory/2004-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads