Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-03-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
winact.bat
Resource
win7-20240221-en
General
-
Target
winact.bat
-
Size
954KB
-
MD5
65f4fdd243532ebcab61bcf9916623a2
-
SHA1
de664b1bd89ee8101a651878aa28cd71ae71721e
-
SHA256
6626cdbc6e4f16638523acfb157386e1294df9829d6b124e385a487c2dcfad90
-
SHA512
576fb719fcb544e43fdf4843613ac5c81f46451840b928bf0276407b0d0213f859ea8c87f9bf1b345264bd4b0f04d00018a1e0567882474e6bfc5805f688a720
-
SSDEEP
24576:Lsq0VLxdxvKdEAwEUMxhaZx/U1cWnl0kH:LWLxJEJ4DSTnljH
Malware Config
Signatures
-
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exetakeown.exeicacls.exepid process 2892 icacls.exe 2124 takeown.exe 2852 icacls.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid process 2124 takeown.exe 2852 icacls.exe 2892 icacls.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2944 powershell.exe 2516 powershell.exe 2528 powershell.exe 2388 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeTakeOwnershipPrivilege 2124 takeown.exe Token: SeDebugPrivilege 2944 powershell.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.exedescription pid process target process PID 2228 wrote to memory of 2124 2228 cmd.exe takeown.exe PID 2228 wrote to memory of 2124 2228 cmd.exe takeown.exe PID 2228 wrote to memory of 2124 2228 cmd.exe takeown.exe PID 2228 wrote to memory of 2852 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 2852 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 2852 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 2892 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 2892 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 2892 2228 cmd.exe icacls.exe PID 2228 wrote to memory of 2944 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2944 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2944 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2516 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2516 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2516 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2528 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2528 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2528 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2388 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2388 2228 cmd.exe powershell.exe PID 2228 wrote to memory of 2388 2228 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\winact.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\sppsvc.exe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2852
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\spp /grant administrators:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ef4fa9d7b3b2fb4b4aff1d4dff2a4318
SHA10e7390b004386ccf207d40552d619d40efa0a72f
SHA256f21f4290f360a216570df6de51c96e44e80eb38341fc6aaef01de94ec0c37284
SHA51221f36e2a73834a6188f7cbbea50b75e84648190a935518505a98cf103815ea1fbc6d6543e797a4182eb56010952bfb05763cb9ce2134bd41e9ab44657c0e5b94