6422054718a1ee57b8d427f3a3f98be47131c6b154892ac402b20dfe9554fc10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FREE MS/add.bat
Size

496B
MD5

a1378148102c610afc9c4e9aa588abce
SHA1

9dfe7164f6edfb1d193c0b7cb8edc686f0e18778
SHA256

9f519a91ee189e9aa040ee3940359815a47878f3ee927ae4e14a2bf08b10dfec
SHA512

fe866ad466f40491b6ef3629b01a7bc491adbba8aa4267622b06ac70043db426a5f74a9c1c0aba311cfc01ced48cf5dad985bd736da3cb1383fbed1f86824a1f

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3508 takeown.exe
1072 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3508 takeown.exe
1072 icacls.exe
Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\CompPkgSup.dll cmd.exe
File created C:\Windows\System32\CompPkgSup.dll cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 3508 takeown.exe

pid	process
3508	takeown.exe
1072	icacls.exe

pid	process
3508	takeown.exe
1072	icacls.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CompPkgSup.dll	cmd.exe
File created	C:\Windows\System32\CompPkgSup.dll	cmd.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3508	takeown.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3940 wrote to memory of 3508	3940	cmd.exe	takeown.exe
PID 3940 wrote to memory of 3508	3940	cmd.exe	takeown.exe
PID 3940 wrote to memory of 1072	3940	cmd.exe	icacls.exe
PID 3940 wrote to memory of 1072	3940	cmd.exe	icacls.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FREE MS\add.bat"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\system32\takeown.exe
takeown /F C:\Windows\System32\CompPkgSup.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\CompPkgSup.dll /grant Administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads