Overview

overview

8

Static

static

1

cmd.bat.ps1

windows7-x64

8

cmd.bat.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    1s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2023 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cmd.bat.ps1

  • Size

    86B

  • MD5

    f1c4769cc00061e40db7079ed27ff5c5

  • SHA1

    1930a2b913a10973e1daf0bf045f051516336df4

  • SHA256

    ed0494f83716766320067c65c2ef602086f36d540a97facf3bf9d55b894dde36

  • SHA512

    05a69396ea22a62047d4642fa237ace68b7b01e167e6b014b9a1783aecdf01ede5321d92866e7c73c4908f7fc5d2d96b060c86aa5374da972f3cddca38c373b6

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cmd.bat.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\system32\takeown.exe
      "C:\Windows\system32\takeown.exe" /f C:\Windows\System32
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:444
    • C:\Windows\system32\icacls.exe
      "C:\Windows\system32\icacls.exe" C:\Windows\System32
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-58-0x000000001B2A0000-0x000000001B582000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/904-59-0x00000000024A0000-0x00000000024A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/904-61-0x000000000283B000-0x0000000002872000-memory.dmp
    Filesize

    220KB

    Download
  • memory/904-60-0x0000000002834000-0x0000000002837000-memory.dmp
    Filesize

    12KB

    Download