Analysis
-
max time kernel
91s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
winact.bat
Resource
win7-20240221-en
General
-
Target
winact.bat
-
Size
954KB
-
MD5
65f4fdd243532ebcab61bcf9916623a2
-
SHA1
de664b1bd89ee8101a651878aa28cd71ae71721e
-
SHA256
6626cdbc6e4f16638523acfb157386e1294df9829d6b124e385a487c2dcfad90
-
SHA512
576fb719fcb544e43fdf4843613ac5c81f46451840b928bf0276407b0d0213f859ea8c87f9bf1b345264bd4b0f04d00018a1e0567882474e6bfc5805f688a720
-
SSDEEP
24576:Lsq0VLxdxvKdEAwEUMxhaZx/U1cWnl0kH:LWLxJEJ4DSTnljH
Malware Config
Signatures
-
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exeicacls.exetakeown.exepid process 1888 icacls.exe 2888 icacls.exe 4952 takeown.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exetakeown.exepid process 1888 icacls.exe 2888 icacls.exe 4952 takeown.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1396 powershell.exe 1396 powershell.exe 4700 powershell.exe 4700 powershell.exe 2992 powershell.exe 2992 powershell.exe 1344 powershell.exe 1344 powershell.exe 3084 powershell.exe 3084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
takeown.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeTakeOwnershipPrivilege 4952 takeown.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 4700 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 1344 powershell.exe Token: SeDebugPrivilege 3084 powershell.exe Token: SeBackupPrivilege 3084 powershell.exe Token: SeBackupPrivilege 3084 powershell.exe Token: SeRestorePrivilege 3084 powershell.exe Token: SeSecurityPrivilege 3084 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.exedescription pid process target process PID 4112 wrote to memory of 4952 4112 cmd.exe takeown.exe PID 4112 wrote to memory of 4952 4112 cmd.exe takeown.exe PID 4112 wrote to memory of 1888 4112 cmd.exe icacls.exe PID 4112 wrote to memory of 1888 4112 cmd.exe icacls.exe PID 4112 wrote to memory of 2888 4112 cmd.exe icacls.exe PID 4112 wrote to memory of 2888 4112 cmd.exe icacls.exe PID 4112 wrote to memory of 1396 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 1396 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 4700 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 4700 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 2992 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 2992 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 1344 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 1344 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 3084 4112 cmd.exe powershell.exe PID 4112 wrote to memory of 3084 4112 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\winact.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\sppsvc.exe2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1888
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\spp /grant administrators:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58fe7bd6cd1d64bcdabbf2e2ae72c5a28
SHA15e1080c3b8cc4c5bffc73ffe6d45fa073335d0de
SHA2565054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8
SHA512658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68
-
Filesize
1KB
MD56bacbdfa362c3dabcb200c9accfbd836
SHA132869e376a77f4a1e609d191fc252c409a04e8ad
SHA256395e9885ff8593eb2002301c85919f0aadf6af6fa42b2cb78441e1e926e575a9
SHA5127427d35c4a508641ad0ffbde4d0192ca038c9be4fb5add6b18220db3d8a7b88e59c12c947a888010a9ed36f62af27c1191edfc0619e6d85899692e345ddcdde2
-
Filesize
1KB
MD533f526f6596f73ba293247cc2e790a94
SHA1d11d735da502cbb913e257f2bf6456f126d91613
SHA2562af624a2765ef3e28d52862732c34c0f1e0947ca0ea0a1151edd898829577088
SHA5129777f3fa777d3d8aef22c0b4f8f33d95ccf575a44a641b308e222725d093dc6b5794a43ac5458bca8264143a566e472e73204621b63b32019e3e0d95e6ff3591
-
Filesize
1KB
MD59944e1a23780e34a1240b8977eea565d
SHA1a509b71263e790d800970dbfc7f6255fc9ed256d
SHA2561ff2581cf8e69f3ce057ebf7ef736746fc35ee87fbd15baf7846911d97ecfebd
SHA512ac60f75c8cd7cfc012049dd60c9d9b4d3503e6cf3aa9d3a03ce05dd8caab129a2705a5f65fd71c1cb73ec48243265397cd9eeadd1ccbde813aa3a735ff2eea37
-
Filesize
1KB
MD5d52a6cabb7897a46bc444de1db94f68a
SHA162427bdd0993afd235fc686b6ea2f8826bb5480e
SHA2567f4f3fad38e34c5d655f3017530ca5a62eab4a3bda033db9a240567b1869deec
SHA51260f451295f140fbf5371465ecee1fb89e16a61cc1d52578350cf20a989f0a72492dbd942b0edf4f09eef71ea73124711855cdbe551ffd7545ec336de77729ea6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82