Analysis

  • max time kernel
    91s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 00:00

General

  • Target

    winact.bat

  • Size

    954KB

  • MD5

    65f4fdd243532ebcab61bcf9916623a2

  • SHA1

    de664b1bd89ee8101a651878aa28cd71ae71721e

  • SHA256

    6626cdbc6e4f16638523acfb157386e1294df9829d6b124e385a487c2dcfad90

  • SHA512

    576fb719fcb544e43fdf4843613ac5c81f46451840b928bf0276407b0d0213f859ea8c87f9bf1b345264bd4b0f04d00018a1e0567882474e6bfc5805f688a720

  • SSDEEP

    24576:Lsq0VLxdxvKdEAwEUMxhaZx/U1cWnl0kH:LWLxJEJ4DSTnljH

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\winact.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Windows\system32\takeown.exe
      takeown /F C:\Windows\System32\sppsvc.exe
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4952
    • C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32 /grant administrators:F /T
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1888
    • C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\spp /grant administrators:F /T
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3084
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      8fe7bd6cd1d64bcdabbf2e2ae72c5a28

      SHA1

      5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de

      SHA256

      5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8

      SHA512

      658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      6bacbdfa362c3dabcb200c9accfbd836

      SHA1

      32869e376a77f4a1e609d191fc252c409a04e8ad

      SHA256

      395e9885ff8593eb2002301c85919f0aadf6af6fa42b2cb78441e1e926e575a9

      SHA512

      7427d35c4a508641ad0ffbde4d0192ca038c9be4fb5add6b18220db3d8a7b88e59c12c947a888010a9ed36f62af27c1191edfc0619e6d85899692e345ddcdde2

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      33f526f6596f73ba293247cc2e790a94

      SHA1

      d11d735da502cbb913e257f2bf6456f126d91613

      SHA256

      2af624a2765ef3e28d52862732c34c0f1e0947ca0ea0a1151edd898829577088

      SHA512

      9777f3fa777d3d8aef22c0b4f8f33d95ccf575a44a641b308e222725d093dc6b5794a43ac5458bca8264143a566e472e73204621b63b32019e3e0d95e6ff3591

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      9944e1a23780e34a1240b8977eea565d

      SHA1

      a509b71263e790d800970dbfc7f6255fc9ed256d

      SHA256

      1ff2581cf8e69f3ce057ebf7ef736746fc35ee87fbd15baf7846911d97ecfebd

      SHA512

      ac60f75c8cd7cfc012049dd60c9d9b4d3503e6cf3aa9d3a03ce05dd8caab129a2705a5f65fd71c1cb73ec48243265397cd9eeadd1ccbde813aa3a735ff2eea37

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      d52a6cabb7897a46bc444de1db94f68a

      SHA1

      62427bdd0993afd235fc686b6ea2f8826bb5480e

      SHA256

      7f4f3fad38e34c5d655f3017530ca5a62eab4a3bda033db9a240567b1869deec

      SHA512

      60f451295f140fbf5371465ecee1fb89e16a61cc1d52578350cf20a989f0a72492dbd942b0edf4f09eef71ea73124711855cdbe551ffd7545ec336de77729ea6

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4eljoejr.hb0.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/1344-60-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/1344-56-0x00000212F61A0000-0x00000212F61B0000-memory.dmp

      Filesize

      64KB

    • memory/1344-46-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/1344-58-0x00000212F61A0000-0x00000212F61B0000-memory.dmp

      Filesize

      64KB

    • memory/1396-12-0x00000244EB2B0000-0x00000244EB2C0000-memory.dmp

      Filesize

      64KB

    • memory/1396-15-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/1396-11-0x00000244EB2B0000-0x00000244EB2C0000-memory.dmp

      Filesize

      64KB

    • memory/1396-10-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/1396-9-0x00000244EB250000-0x00000244EB272000-memory.dmp

      Filesize

      136KB

    • memory/2992-42-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/2992-43-0x0000019FFCE30000-0x0000019FFCE40000-memory.dmp

      Filesize

      64KB

    • memory/2992-45-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/3084-72-0x00000180F47F0000-0x00000180F4800000-memory.dmp

      Filesize

      64KB

    • memory/3084-70-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/3084-73-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/3084-74-0x00000180F47F0000-0x00000180F4800000-memory.dmp

      Filesize

      64KB

    • memory/3084-75-0x00000180F47F0000-0x00000180F4800000-memory.dmp

      Filesize

      64KB

    • memory/3084-77-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/4700-31-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB

    • memory/4700-29-0x0000018857B30000-0x0000018857B40000-memory.dmp

      Filesize

      64KB

    • memory/4700-28-0x0000018857B30000-0x0000018857B40000-memory.dmp

      Filesize

      64KB

    • memory/4700-22-0x00007FFE7D3A0000-0x00007FFE7DE61000-memory.dmp

      Filesize

      10.8MB