5218ed9598e05be41fc39d056e038c1a6fb054444ee3c5e8e54714ce1d258448

General

Target

111.90.151.174_7777__destroy.bat
Size

2KB
MD5

584db4d4d5e53b628193790c77f84d58
SHA1

ba7c740867ad6184e9971735cc6d1bedf1443078
SHA256

5218ed9598e05be41fc39d056e038c1a6fb054444ee3c5e8e54714ce1d258448
SHA512

05f5e8185714f068c0f804095867e1d875c0f970f61078f3f42effae565baf7a507daf841037df777745882901af74f40e18ade08f743ad368cb2b18c0eced6e

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 26 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
1072	takeown.exe
4936	takeown.exe
3220	icacls.exe
4764	takeown.exe
1928	takeown.exe
1572	icacls.exe
116	icacls.exe
2084	icacls.exe
3812	takeown.exe
2392	icacls.exe
1868	takeown.exe
616	icacls.exe
2464	icacls.exe
1312	icacls.exe
3720	takeown.exe
2988	icacls.exe
716	icacls.exe
3140	takeown.exe
2688	icacls.exe
2664	takeown.exe
2268	takeown.exe
1608	icacls.exe
1416	takeown.exe
4688	icacls.exe
1412	takeown.exe
596	takeown.exe

Modifies file permissions 1 TTPs 26 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
4936	takeown.exe
1072	takeown.exe
3720	takeown.exe
1412	takeown.exe
2084	icacls.exe
3140	takeown.exe
1928	takeown.exe
1312	icacls.exe
596	takeown.exe
2392	icacls.exe
1868	takeown.exe
1416	takeown.exe
1608	icacls.exe
3220	icacls.exe
4688	icacls.exe
1572	icacls.exe
3812	takeown.exe
116	icacls.exe
2664	takeown.exe
2988	icacls.exe
716	icacls.exe
616	icacls.exe
2464	icacls.exe
2688	icacls.exe
2268	takeown.exe
4764	takeown.exe

Drops file in System32 directory 2 IoCs

Processes:

ReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Drops file in Windows directory 12 IoCs

Processes:

ReAgentc.exeReAgentc.exeReAgentc.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Logs\Reagent	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	3720	takeown.exe
Token: SeTakeOwnershipPrivilege	3812	takeown.exe
Token: SeTakeOwnershipPrivilege	596	takeown.exe
Token: SeTakeOwnershipPrivilege	2664	takeown.exe
Token: SeTakeOwnershipPrivilege	3140	takeown.exe
Token: SeTakeOwnershipPrivilege	4936	takeown.exe
Token: SeTakeOwnershipPrivilege	2268	takeown.exe
Token: SeTakeOwnershipPrivilege	1416	takeown.exe
Token: SeTakeOwnershipPrivilege	4764	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 4912 wrote to memory of 4900	4912	cmd.exe	cmd.exe
PID 4912 wrote to memory of 4900	4912	cmd.exe	cmd.exe
PID 4900 wrote to memory of 1072	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1072	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1312	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1312	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 920	4900	cmd.exe	ReAgentc.exe
PID 4900 wrote to memory of 920	4900	cmd.exe	ReAgentc.exe
PID 4900 wrote to memory of 1580	4900	cmd.exe	ReAgentc.exe
PID 4900 wrote to memory of 1580	4900	cmd.exe	ReAgentc.exe
PID 4900 wrote to memory of 1960	4900	cmd.exe	ReAgentc.exe
PID 4900 wrote to memory of 1960	4900	cmd.exe	ReAgentc.exe
PID 4900 wrote to memory of 3720	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 3720	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1572	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1572	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1412	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1412	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2084	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2084	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 3812	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 3812	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 116	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 116	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 596	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 596	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2392	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2392	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1868	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1868	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 616	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 616	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2664	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2664	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2464	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2464	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 3140	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 3140	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2688	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2688	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 4936	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 4936	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2988	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2988	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 2268	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 2268	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1608	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1608	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1416	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1416	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 3220	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 3220	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 4764	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 4764	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 716	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 716	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 1928	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 1928	4900	cmd.exe	takeown.exe
PID 4900 wrote to memory of 4688	4900	cmd.exe	icacls.exe
PID 4900 wrote to memory of 4688	4900	cmd.exe	icacls.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat" MY_FLAG
2⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\rstrui.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\rstrui.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312

C:\Windows\System32\ReAgentc.exe
REAGENTC.EXE /disable
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:920

C:\Windows\System32\ReAgentc.exe
REAGENTC.EXE /disable /logpath C:\Temp\Reagent.log
3⤵
- Drops file in Windows directory
PID:1580

C:\Windows\System32\ReAgentc.exe
REAGENTC.EXE /disable /logpath C:\Windows\Logs\Reagent
3⤵
- Drops file in Windows directory
PID:1960

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\System32\ReAgentc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\System32\ReAgentc.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1572

C:\Windows\System32\takeown.exe
TAKEOWN /F "C:\Windows\Logs\ReAgent\ReAgent.log"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1412

C:\Windows\System32\icacls.exe
ICACLS "C:\Windows\Logs\ReAgent\ReAgent.log" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2084

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\Logs\WinREAgent\diagerr.xml"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Logs\WinREAgent\diagerr.xml" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:116

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\Logs\WinREAgent\diagwrn.xml"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2392

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.xml"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1868

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\ReAgent.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2464

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\ReAgentTask.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\ReAgentTask.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2688

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recdisc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recdisc.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2988

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recovery.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recovery.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3220

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:716

C:\Windows\system32\takeown.exe
TAKEOWN /F "C:\Windows\System32\Recovery\RecoveryDrive.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\Recovery\RecoveryDrive.exe" /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Logs\ReAgent\ReAgent.log
Filesize
2KB

MD5
6e7b19347001164c9d00e0f40b723f22

SHA1
3212d1796d324b67350c8ef2e32e3e1ebc389bd0

SHA256
12ecf43dc69ab988152e7af2a38e24623d27acba17b5358dbaa59c35e5aa38cb

SHA512
924a41f3076647af7b768d9972906a50dd88a18f64dd43a8c81bfe593bb69b4660b8276cada4caeab070661b6c5b67b1dc7e4e34e652721418a429d2dee73b81

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
11KB

MD5
646c99592c86878d677ab1e52bb63def

SHA1
51c5eac20436cb430620a2b432f58fda85bb3044

SHA256
f6bebdba9f494bf9e5c35dc18acbcf026e46af22390b6789bebc340d906ead70

SHA512
954dcbecdd1e57036a24217adcf46c047c4eddd2f62e024044fd826c74ed773b6b8c406f23d12afd765300ff2177b5dbaa55d9a7570787cb930b1f3ffb093267

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
13KB

MD5
9068d02eef9ef728943f408a3d82f555

SHA1
97cf6ad2e21ecd3984a2337a0c5b7840be27f03f

SHA256
af68db8dec67db0aae695d0a1ce5361c6251e01d9e778414c22c07fe555f5580

SHA512
3bf5d50ad0d00b654c3307dc82cbc443bdce51ff509ea846f98305b6a8f981b006ccd2b8994d73f2b91e4f0c5e583e1e86959dd4abf36af0d0f1c38dd6149b35

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
14KB

MD5
a8acd862f8a8a55a7651afd34c6aa25a

SHA1
20a2649285f2fb15efa53e0bdd266970ee635bc5

SHA256
9ea89ba8c519a6dc4286fe78f1dd957fc97da85ceb2f430dbab103a82b9b9bbd

SHA512
2123b422ad2adebf7d4a68e979fb7d97b542cc705a61b2c11df17cb208a4cdbdaaa94cceb1f2bb4c7c0f936ce26493f38b519cfbcdff488ccebd6ef7e12b44e3

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
16KB

MD5
806253980cccedf085519b9b7b935917

SHA1
39cdf43ae62a7d8712953a749171bc026ec3db4d

SHA256
402cf436b4461cdd94fd98ea57e35f09c2bdcdb5fd75513d19507d8db4435b68

SHA512
ee43acc1a8f32b5edcf33c444faab6ab29b46f0f20eab43d52e78cfefd46ed6de33184da381864e46ce8718ba146bfa6962efdfa2090822040caca7cedd33dbe

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
326B

MD5
de4e9dfbd99519ecce425671f8be5ab0

SHA1
91c63d6ad9c12e9a52c66f81a65c05f6bb1be9e9

SHA256
92d477ffe4e898eba6f0bf9f3fb9b98afa637743f9ff1881237e8f65c1fa5e58

SHA512
926d27af21aae2e6902ceff9b504bafa2ec0c4c3e424b10ee96727c1e0a3a0fc1e316361b07ddf8898c225247ef813bc1fa0234754fb2181cce5e346784070e6

Download Submit
C:\Windows\system32\Recovery\ReAgent.xml
Filesize
1KB

MD5
44b2da39ceb2c183d5dcd43aa128c2dd

SHA1
502723d48caf7bb6e50867685378b28e84999d8a

SHA256
894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

SHA512
17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

Download Submit
memory/116-150-0x0000000000000000-mapping.dmp

Download
memory/596-151-0x0000000000000000-mapping.dmp

Download
memory/616-154-0x0000000000000000-mapping.dmp

Download
memory/716-166-0x0000000000000000-mapping.dmp

Download
memory/920-135-0x0000000000000000-mapping.dmp

Download
memory/1072-133-0x0000000000000000-mapping.dmp

Download
memory/1312-134-0x0000000000000000-mapping.dmp

Download
memory/1412-146-0x0000000000000000-mapping.dmp

Download
memory/1416-163-0x0000000000000000-mapping.dmp

Download
memory/1572-145-0x0000000000000000-mapping.dmp

Download
memory/1580-136-0x0000000000000000-mapping.dmp

Download
memory/1608-162-0x0000000000000000-mapping.dmp

Download
memory/1868-153-0x0000000000000000-mapping.dmp

Download
memory/1928-167-0x0000000000000000-mapping.dmp

Download
memory/1960-140-0x0000000000000000-mapping.dmp

Download
memory/2084-148-0x0000000000000000-mapping.dmp

Download
memory/2268-161-0x0000000000000000-mapping.dmp

Download
memory/2392-152-0x0000000000000000-mapping.dmp

Download
memory/2464-156-0x0000000000000000-mapping.dmp

Download
memory/2664-155-0x0000000000000000-mapping.dmp

Download
memory/2688-158-0x0000000000000000-mapping.dmp

Download
memory/2988-160-0x0000000000000000-mapping.dmp

Download
memory/3140-157-0x0000000000000000-mapping.dmp

Download
memory/3220-164-0x0000000000000000-mapping.dmp

Download
memory/3720-144-0x0000000000000000-mapping.dmp

Download
memory/3812-149-0x0000000000000000-mapping.dmp

Download
memory/4688-168-0x0000000000000000-mapping.dmp

Download
memory/4764-165-0x0000000000000000-mapping.dmp

Download
memory/4900-132-0x0000000000000000-mapping.dmp

Download
memory/4936-159-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads