Analysis
-
max time kernel
94s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 17:06
Static task
static1
Behavioral task
behavioral1
Sample
111.90.151.174_7777__destroy.bat
Resource
win7-20220901-en
General
-
Target
111.90.151.174_7777__destroy.bat
-
Size
2KB
-
MD5
584db4d4d5e53b628193790c77f84d58
-
SHA1
ba7c740867ad6184e9971735cc6d1bedf1443078
-
SHA256
5218ed9598e05be41fc39d056e038c1a6fb054444ee3c5e8e54714ce1d258448
-
SHA512
05f5e8185714f068c0f804095867e1d875c0f970f61078f3f42effae565baf7a507daf841037df777745882901af74f40e18ade08f743ad368cb2b18c0eced6e
Malware Config
Signatures
-
Possible privilege escalation attempt 26 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 1072 takeown.exe 4936 takeown.exe 3220 icacls.exe 4764 takeown.exe 1928 takeown.exe 1572 icacls.exe 116 icacls.exe 2084 icacls.exe 3812 takeown.exe 2392 icacls.exe 1868 takeown.exe 616 icacls.exe 2464 icacls.exe 1312 icacls.exe 3720 takeown.exe 2988 icacls.exe 716 icacls.exe 3140 takeown.exe 2688 icacls.exe 2664 takeown.exe 2268 takeown.exe 1608 icacls.exe 1416 takeown.exe 4688 icacls.exe 1412 takeown.exe 596 takeown.exe -
Modifies file permissions 1 TTPs 26 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 4936 takeown.exe 1072 takeown.exe 3720 takeown.exe 1412 takeown.exe 2084 icacls.exe 3140 takeown.exe 1928 takeown.exe 1312 icacls.exe 596 takeown.exe 2392 icacls.exe 1868 takeown.exe 1416 takeown.exe 1608 icacls.exe 3220 icacls.exe 4688 icacls.exe 1572 icacls.exe 3812 takeown.exe 116 icacls.exe 2664 takeown.exe 2988 icacls.exe 716 icacls.exe 616 icacls.exe 2464 icacls.exe 2688 icacls.exe 2268 takeown.exe 4764 takeown.exe -
Drops file in System32 directory 2 IoCs
Processes:
ReAgentc.exedescription ioc process File opened for modification C:\Windows\system32\Recovery ReAgentc.exe File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe -
Drops file in Windows directory 12 IoCs
Processes:
ReAgentc.exeReAgentc.exeReAgentc.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe File opened for modification C:\Windows\Logs\Reagent ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log ReAgentc.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1072 takeown.exe Token: SeTakeOwnershipPrivilege 3720 takeown.exe Token: SeTakeOwnershipPrivilege 3812 takeown.exe Token: SeTakeOwnershipPrivilege 596 takeown.exe Token: SeTakeOwnershipPrivilege 2664 takeown.exe Token: SeTakeOwnershipPrivilege 3140 takeown.exe Token: SeTakeOwnershipPrivilege 4936 takeown.exe Token: SeTakeOwnershipPrivilege 2268 takeown.exe Token: SeTakeOwnershipPrivilege 1416 takeown.exe Token: SeTakeOwnershipPrivilege 4764 takeown.exe Token: SeTakeOwnershipPrivilege 1928 takeown.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 4912 wrote to memory of 4900 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 4900 4912 cmd.exe cmd.exe PID 4900 wrote to memory of 1072 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1072 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1312 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1312 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 920 4900 cmd.exe ReAgentc.exe PID 4900 wrote to memory of 920 4900 cmd.exe ReAgentc.exe PID 4900 wrote to memory of 1580 4900 cmd.exe ReAgentc.exe PID 4900 wrote to memory of 1580 4900 cmd.exe ReAgentc.exe PID 4900 wrote to memory of 1960 4900 cmd.exe ReAgentc.exe PID 4900 wrote to memory of 1960 4900 cmd.exe ReAgentc.exe PID 4900 wrote to memory of 3720 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 3720 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1572 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1572 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1412 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1412 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2084 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2084 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 3812 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 3812 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 116 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 116 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 596 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 596 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2392 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2392 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1868 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1868 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 616 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 616 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2664 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2664 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2464 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2464 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 3140 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 3140 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2688 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2688 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 4936 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 4936 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2988 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2988 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 2268 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 2268 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1608 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1608 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1416 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1416 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 3220 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 3220 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 4764 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 4764 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 716 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 716 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 1928 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 1928 4900 cmd.exe takeown.exe PID 4900 wrote to memory of 4688 4900 cmd.exe icacls.exe PID 4900 wrote to memory of 4688 4900 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\111.90.151.174_7777__destroy.bat" MY_FLAG2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\rstrui.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\rstrui.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\ReAgentc.exeREAGENTC.EXE /disable3⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\System32\ReAgentc.exeREAGENTC.EXE /disable /logpath C:\Temp\Reagent.log3⤵
- Drops file in Windows directory
-
C:\Windows\System32\ReAgentc.exeREAGENTC.EXE /disable /logpath C:\Windows\Logs\Reagent3⤵
- Drops file in Windows directory
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\System32\ReAgentc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\System32\ReAgentc.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\takeown.exeTAKEOWN /F "C:\Windows\Logs\ReAgent\ReAgent.log"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\icacls.exeICACLS "C:\Windows\Logs\ReAgent\ReAgent.log" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\Logs\WinREAgent\diagerr.xml"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Logs\WinREAgent\diagerr.xml" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\Logs\WinREAgent\diagwrn.xml"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.xml"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Logs\WinREAgent\diagwrn.xml" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\ReAgent.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\ReAgent.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\ReAgentTask.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\ReAgentTask.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recdisc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recdisc.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recovery.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recovery.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\recovery.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\recovery.dll" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exeTAKEOWN /F "C:\Windows\System32\Recovery\RecoveryDrive.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\Recovery\RecoveryDrive.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Logs\ReAgent\ReAgent.logFilesize
2KB
MD56e7b19347001164c9d00e0f40b723f22
SHA13212d1796d324b67350c8ef2e32e3e1ebc389bd0
SHA25612ecf43dc69ab988152e7af2a38e24623d27acba17b5358dbaa59c35e5aa38cb
SHA512924a41f3076647af7b768d9972906a50dd88a18f64dd43a8c81bfe593bb69b4660b8276cada4caeab070661b6c5b67b1dc7e4e34e652721418a429d2dee73b81
-
C:\Windows\Panther\UnattendGC\diagerr.xmlFilesize
11KB
MD5646c99592c86878d677ab1e52bb63def
SHA151c5eac20436cb430620a2b432f58fda85bb3044
SHA256f6bebdba9f494bf9e5c35dc18acbcf026e46af22390b6789bebc340d906ead70
SHA512954dcbecdd1e57036a24217adcf46c047c4eddd2f62e024044fd826c74ed773b6b8c406f23d12afd765300ff2177b5dbaa55d9a7570787cb930b1f3ffb093267
-
C:\Windows\Panther\UnattendGC\diagerr.xmlFilesize
13KB
MD59068d02eef9ef728943f408a3d82f555
SHA197cf6ad2e21ecd3984a2337a0c5b7840be27f03f
SHA256af68db8dec67db0aae695d0a1ce5361c6251e01d9e778414c22c07fe555f5580
SHA5123bf5d50ad0d00b654c3307dc82cbc443bdce51ff509ea846f98305b6a8f981b006ccd2b8994d73f2b91e4f0c5e583e1e86959dd4abf36af0d0f1c38dd6149b35
-
C:\Windows\Panther\UnattendGC\diagwrn.xmlFilesize
14KB
MD5a8acd862f8a8a55a7651afd34c6aa25a
SHA120a2649285f2fb15efa53e0bdd266970ee635bc5
SHA2569ea89ba8c519a6dc4286fe78f1dd957fc97da85ceb2f430dbab103a82b9b9bbd
SHA5122123b422ad2adebf7d4a68e979fb7d97b542cc705a61b2c11df17cb208a4cdbdaaa94cceb1f2bb4c7c0f936ce26493f38b519cfbcdff488ccebd6ef7e12b44e3
-
C:\Windows\Panther\UnattendGC\diagwrn.xmlFilesize
16KB
MD5806253980cccedf085519b9b7b935917
SHA139cdf43ae62a7d8712953a749171bc026ec3db4d
SHA256402cf436b4461cdd94fd98ea57e35f09c2bdcdb5fd75513d19507d8db4435b68
SHA512ee43acc1a8f32b5edcf33c444faab6ab29b46f0f20eab43d52e78cfefd46ed6de33184da381864e46ce8718ba146bfa6962efdfa2090822040caca7cedd33dbe
-
C:\Windows\Panther\UnattendGC\setuperr.logFilesize
326B
MD5de4e9dfbd99519ecce425671f8be5ab0
SHA191c63d6ad9c12e9a52c66f81a65c05f6bb1be9e9
SHA25692d477ffe4e898eba6f0bf9f3fb9b98afa637743f9ff1881237e8f65c1fa5e58
SHA512926d27af21aae2e6902ceff9b504bafa2ec0c4c3e424b10ee96727c1e0a3a0fc1e316361b07ddf8898c225247ef813bc1fa0234754fb2181cce5e346784070e6
-
C:\Windows\system32\Recovery\ReAgent.xmlFilesize
1KB
MD544b2da39ceb2c183d5dcd43aa128c2dd
SHA1502723d48caf7bb6e50867685378b28e84999d8a
SHA256894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d
SHA51217744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604
-
memory/116-150-0x0000000000000000-mapping.dmp
-
memory/596-151-0x0000000000000000-mapping.dmp
-
memory/616-154-0x0000000000000000-mapping.dmp
-
memory/716-166-0x0000000000000000-mapping.dmp
-
memory/920-135-0x0000000000000000-mapping.dmp
-
memory/1072-133-0x0000000000000000-mapping.dmp
-
memory/1312-134-0x0000000000000000-mapping.dmp
-
memory/1412-146-0x0000000000000000-mapping.dmp
-
memory/1416-163-0x0000000000000000-mapping.dmp
-
memory/1572-145-0x0000000000000000-mapping.dmp
-
memory/1580-136-0x0000000000000000-mapping.dmp
-
memory/1608-162-0x0000000000000000-mapping.dmp
-
memory/1868-153-0x0000000000000000-mapping.dmp
-
memory/1928-167-0x0000000000000000-mapping.dmp
-
memory/1960-140-0x0000000000000000-mapping.dmp
-
memory/2084-148-0x0000000000000000-mapping.dmp
-
memory/2268-161-0x0000000000000000-mapping.dmp
-
memory/2392-152-0x0000000000000000-mapping.dmp
-
memory/2464-156-0x0000000000000000-mapping.dmp
-
memory/2664-155-0x0000000000000000-mapping.dmp
-
memory/2688-158-0x0000000000000000-mapping.dmp
-
memory/2988-160-0x0000000000000000-mapping.dmp
-
memory/3140-157-0x0000000000000000-mapping.dmp
-
memory/3220-164-0x0000000000000000-mapping.dmp
-
memory/3720-144-0x0000000000000000-mapping.dmp
-
memory/3812-149-0x0000000000000000-mapping.dmp
-
memory/4688-168-0x0000000000000000-mapping.dmp
-
memory/4764-165-0x0000000000000000-mapping.dmp
-
memory/4900-132-0x0000000000000000-mapping.dmp
-
memory/4936-159-0x0000000000000000-mapping.dmp