fd7c4ebb6017b208f8a4930ad63979e3c38ac56ec6da96ca373cc778e9832e24

General

Target

StoreRunMe.cmd
Size

1KB
MD5

1073d04178d921c04a2171776b537aaf
SHA1

e0a975f937579d4d81cdbbf959e6acf656c0d833
SHA256

fd7c4ebb6017b208f8a4930ad63979e3c38ac56ec6da96ca373cc778e9832e24
SHA512

5676897097f6ca4867cff3c1ba4b4565654d46d4fe11f6603a983b0d6996fe9013a158dabbb95ae11610a7addff6cf310be95e31fda9d4c5c6b52449b520da99

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

832 takeown.exe
1452 icacls.exe
620 icacls.exe
440 icacls.exe
1548 icacls.exe
Modifies file permissions 1 TTPs 5 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid process

1452 icacls.exe
620 icacls.exe
440 icacls.exe
1548 icacls.exe
832 takeown.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1396 regedit.exe
1108 regedit.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1764 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exepowershell.exe

description pid process

Token: SeTakeOwnershipPrivilege 832 takeown.exe
Token: SeDebugPrivilege 1764 powershell.exe

pid	process
832	takeown.exe
1452	icacls.exe
620	icacls.exe
440	icacls.exe
1548	icacls.exe

pid	process
1452	icacls.exe
620	icacls.exe
440	icacls.exe
1548	icacls.exe
832	takeown.exe

pid	process
1396	regedit.exe
1108	regedit.exe

pid	process
1764	powershell.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	832	takeown.exe
Token: SeDebugPrivilege	1764	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 1972 wrote to memory of 2032	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2032	1972	cmd.exe	net.exe
PID 1972 wrote to memory of 2032	1972	cmd.exe	net.exe
PID 2032 wrote to memory of 1560	2032	net.exe	net1.exe
PID 2032 wrote to memory of 1560	2032	net.exe	net1.exe
PID 2032 wrote to memory of 1560	2032	net.exe	net1.exe
PID 1972 wrote to memory of 1396	1972	cmd.exe	regedit.exe
PID 1972 wrote to memory of 1396	1972	cmd.exe	regedit.exe
PID 1972 wrote to memory of 1396	1972	cmd.exe	regedit.exe
PID 1972 wrote to memory of 1108	1972	cmd.exe	regedit.exe
PID 1972 wrote to memory of 1108	1972	cmd.exe	regedit.exe
PID 1972 wrote to memory of 1108	1972	cmd.exe	regedit.exe
PID 1972 wrote to memory of 832	1972	cmd.exe	takeown.exe
PID 1972 wrote to memory of 832	1972	cmd.exe	takeown.exe
PID 1972 wrote to memory of 832	1972	cmd.exe	takeown.exe
PID 1972 wrote to memory of 1452	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 1452	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 1452	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 2044	1972	cmd.exe	xcopy.exe
PID 1972 wrote to memory of 2044	1972	cmd.exe	xcopy.exe
PID 1972 wrote to memory of 2044	1972	cmd.exe	xcopy.exe
PID 1972 wrote to memory of 1764	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 1764	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 1764	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 620	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 620	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 620	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 440	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 440	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 440	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 1548	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 1548	1972	cmd.exe	icacls.exe
PID 1972 wrote to memory of 1548	1972	cmd.exe	icacls.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\StoreRunMe.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\net.exe
NET SESSION
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\regedit.exe
regedit.exe /S Files\regedit1.reg
2⤵
- Runs .reg file with regedit
PID:1396

C:\Windows\regedit.exe
regedit.exe /S Files\regedit2.regS
2⤵
- Runs .reg file with regedit
PID:1108

C:\Windows\system32\takeown.exe
takeown /F "C:\Program Files\WindowsApps"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant "Everyone":F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1452

C:\Windows\system32\xcopy.exe
xcopy Files\store_depends_from_enterprise "C:\Program Files\WindowsApps\" /e /i /h /y /k /o /x
2⤵
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "& "".\Files\StoreDependencies.ps1"""
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant "ALL APPLICATION PACKAGES":F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:620

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant "NT SERVICE\TrustedInstaller":F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:440

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\WindowsApps" /grant "System":F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 SESSION
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/440-71-0x0000000000000000-mapping.dmp

Download
memory/620-70-0x0000000000000000-mapping.dmp

Download
memory/832-60-0x0000000000000000-mapping.dmp

Download
memory/1108-58-0x0000000000000000-mapping.dmp

Download
memory/1396-56-0x0000000000000000-mapping.dmp

Download
memory/1396-57-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/1452-61-0x0000000000000000-mapping.dmp

Download
memory/1548-72-0x0000000000000000-mapping.dmp

Download
memory/1560-55-0x0000000000000000-mapping.dmp

Download
memory/1764-63-0x0000000000000000-mapping.dmp

Download
memory/1764-67-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1764-66-0x000007FEF33E0000-0x000007FEF3F3D000-memory.dmp

Filesize
11.4MB

Download
memory/1764-68-0x00000000028D4000-0x00000000028D7000-memory.dmp

Filesize
12KB

Download
memory/1764-69-0x00000000028DB000-0x00000000028FA000-memory.dmp

Filesize
124KB

Download
memory/1764-65-0x000007FEF3F40000-0x000007FEF4963000-memory.dmp

Filesize
10.1MB

Download
memory/2032-54-0x0000000000000000-mapping.dmp

Download
memory/2044-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing