Overview

overview

8

Static

static

StoreRunMe.cmd

windows7-x64

8

StoreRunMe.cmd

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2023 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    StoreRunMe.cmd

  • Size

    1KB

  • MD5

    1073d04178d921c04a2171776b537aaf

  • SHA1

    e0a975f937579d4d81cdbbf959e6acf656c0d833

  • SHA256

    fd7c4ebb6017b208f8a4930ad63979e3c38ac56ec6da96ca373cc778e9832e24

  • SHA512

    5676897097f6ca4867cff3c1ba4b4565654d46d4fe11f6603a983b0d6996fe9013a158dabbb95ae11610a7addff6cf310be95e31fda9d4c5c6b52449b520da99

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 5 IoCs
    exploit
  • Modifies file permissions 1 TTPs 5 IoCs
    discovery
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StoreRunMe.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:488
    • C:\Windows\system32\net.exe
      NET SESSION
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 SESSION
        3⤵
          PID:4348
      • C:\Windows\regedit.exe
        regedit.exe /S Files\regedit1.reg
        2⤵
        • Runs .reg file with regedit
        PID:5028
      • C:\Windows\regedit.exe
        regedit.exe /S Files\regedit2.regS
        2⤵
        • Runs .reg file with regedit
        PID:1584
      • C:\Windows\system32\takeown.exe
        takeown /F "C:\Program Files\WindowsApps"
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
      • C:\Windows\system32\icacls.exe
        icacls "C:\Program Files\WindowsApps" /grant "Everyone":F
        2⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:648
      • C:\Windows\system32\xcopy.exe
        xcopy Files\store_depends_from_enterprise "C:\Program Files\WindowsApps\" /e /i /h /y /k /o /x
        2⤵
          PID:2168
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "& "".\Files\StoreDependencies.ps1"""
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4036
        • C:\Windows\system32\icacls.exe
          icacls "C:\Program Files\WindowsApps" /grant "ALL APPLICATION PACKAGES":F
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3308
        • C:\Windows\system32\icacls.exe
          icacls "C:\Program Files\WindowsApps" /grant "NT SERVICE\TrustedInstaller":F
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4620
        • C:\Windows\system32\icacls.exe
          icacls "C:\Program Files\WindowsApps" /grant "System":F
          2⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:888

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File Permissions Modification

      1
      T1222

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/648-137-0x0000000000000000-mapping.dmp
        Download
      • memory/888-145-0x0000000000000000-mapping.dmp
        Download
      • memory/1584-135-0x0000000000000000-mapping.dmp
        Download
      • memory/2168-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2964-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3308-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4036-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4036-140-0x0000022C5B200000-0x0000022C5B222000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4036-141-0x00007FF87D870000-0x00007FF87E331000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4036-142-0x00007FF87D870000-0x00007FF87E331000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4348-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4620-144-0x0000000000000000-mapping.dmp
        Download
      • memory/5028-134-0x0000000000000000-mapping.dmp
        Download
      • memory/5040-132-0x0000000000000000-mapping.dmp
        Download