Analysis
-
max time kernel
188s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe
Resource
win10v2004-20220812-en
General
-
Target
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe
-
Size
40KB
-
MD5
3ecfeb4aefb1847f09eb17f5efa2c620
-
SHA1
2cc83702b7bd42b5902e61d8dbcfcc74bad103f2
-
SHA256
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144
-
SHA512
ff30d004e9577303329e9b756f3c21b7960221a64efd0e0d4656da1f046d07877e09e4e1d005e8c4e7d20a9f907ee4cc09507db99e4c04707e4c336f1a1872cf
-
SSDEEP
768:/b+NCRYuVGWHh81CGXkKNrzjqGiW/8owfMrFl6/3aQfvPWKP:/LRPGkharzjqGiW/8vZPWKP
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3704 takeown.exe 1696 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3704 takeown.exe 1696 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hBYJT = "C:\\Windows\\system32\\qrgo.exe" cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe -
Drops file in System32 directory 2 IoCs
Processes:
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exedescription ioc process File opened for modification C:\Windows\SysWOW64\qrgo.exe cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe File created C:\Windows\SysWOW64\qrgo.exe cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exepid process 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exedescription pid process target process PID 3748 wrote to memory of 3704 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe takeown.exe PID 3748 wrote to memory of 3704 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe takeown.exe PID 3748 wrote to memory of 3704 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe takeown.exe PID 3748 wrote to memory of 1696 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe icacls.exe PID 3748 wrote to memory of 1696 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe icacls.exe PID 3748 wrote to memory of 1696 3748 cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe"C:\Users\Admin\AppData\Local\Temp\cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\qrgo.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\qrgo.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\qrgo.exeFilesize
40KB
MD53ecfeb4aefb1847f09eb17f5efa2c620
SHA12cc83702b7bd42b5902e61d8dbcfcc74bad103f2
SHA256cc210a101bf20a7f53efa98c8d285790893e1a9f9546a907ebc6786074e19144
SHA512ff30d004e9577303329e9b756f3c21b7960221a64efd0e0d4656da1f046d07877e09e4e1d005e8c4e7d20a9f907ee4cc09507db99e4c04707e4c336f1a1872cf
-
memory/1696-135-0x0000000000000000-mapping.dmp
-
memory/3704-134-0x0000000000000000-mapping.dmp