Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 12:30
Static task
static1
Behavioral task
behavioral1
Sample
123.bat
Resource
win10v2004-20240704-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
123.bat
Resource
win11-20240704-en
0 signatures
150 seconds
General
-
Target
123.bat
-
Size
971B
-
MD5
84da054b2dcf27a08d137148f70aaeb3
-
SHA1
1a47062307e9692940a446c6e34befccd7cfe682
-
SHA256
3ff5f6704d9f18875770f787439b5bbd7e4b1a28401d73da79de86a1b0ba8ecf
-
SHA512
c41ad98ecbad00a511c1684e14aecb7cbdf3d13b66b3ac9ffaacb2a1af2216f86bd61fad043eeb0e527f397e59088fd7aa3158479141217444c01042c71b0fe9
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2672 takeown.exe 3092 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2672 takeown.exe 3092 icacls.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2672 takeown.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 868 wrote to memory of 2672 868 cmd.exe takeown.exe PID 868 wrote to memory of 2672 868 cmd.exe takeown.exe PID 868 wrote to memory of 3092 868 cmd.exe icacls.exe PID 868 wrote to memory of 3092 868 cmd.exe icacls.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\123.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /a /r /d y2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant ╨É╨┤╨╝╨╕╨╜╨╕╤ü╤é╤Ç╨░╤é╨╛╤Ç╤ï:F /t2⤵
- Possible privilege escalation attempt
- Modifies file permissions