Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
14-10-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe
Resource
win7-20220901-en
General
-
Target
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe
-
Size
27KB
-
MD5
73efb6d5e1bd353f728913cdd72c14a0
-
SHA1
a4be1e799a7fb79086f6c8dedbfe6176123a5366
-
SHA256
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0
-
SHA512
3e4d1ee8785e6664b97c61d3591aa7bd9aad7f184fc8f204f9eded04e4b1d26b37f7c5b3faac4fd867c71218be096d6e2a0d35bf7e578fdd2c44398dc5fef521
-
SSDEEP
768:eyHKmM0qauedFQFtxTXKXAx6ZQgZOgRTc7D:ebmMyTcTXfxhgZzT
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1756 takeown.exe 1332 icacls.exe -
Drops startup file 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.bat cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 1332 icacls.exe 1756 takeown.exe -
Modifies registry class 8 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "worm" cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1756 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.execmd.exedescription pid process target process PID 1380 wrote to memory of 2020 1380 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 1380 wrote to memory of 2020 1380 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 1380 wrote to memory of 2020 1380 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 1380 wrote to memory of 2020 1380 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 2020 wrote to memory of 1756 2020 cmd.exe takeown.exe PID 2020 wrote to memory of 1756 2020 cmd.exe takeown.exe PID 2020 wrote to memory of 1756 2020 cmd.exe takeown.exe PID 2020 wrote to memory of 1756 2020 cmd.exe takeown.exe PID 2020 wrote to memory of 1332 2020 cmd.exe icacls.exe PID 2020 wrote to memory of 1332 2020 cmd.exe icacls.exe PID 2020 wrote to memory of 1332 2020 cmd.exe icacls.exe PID 2020 wrote to memory of 1332 2020 cmd.exe icacls.exe PID 2020 wrote to memory of 332 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 332 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 332 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 332 2020 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe"C:\Users\Admin\AppData\Local\Temp\3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2241.tmp\work.bat""2⤵
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "explorer.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "explorer.exe" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "explorer.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2241.tmp\work.batFilesize
645B
MD5e1abbe347c9d05e587b6496d94531cf4
SHA1d5777fe403734cb56a51cfa1b0f3c42d5d76e946
SHA256c03f85f17bb8b4804908374546e0cb8ea812890c6c267f5e63dbd7ad14c35519
SHA512ffe8aca1718854ae7f9bf5811fb527522c1e7cc6b76fec809ae2bff08b729abe8ddf952b5fe44ba677443c4caea523ae8334f7bace4bf8e110dbe3511a391f65
-
memory/332-60-0x0000000000000000-mapping.dmp
-
memory/1332-59-0x0000000000000000-mapping.dmp
-
memory/1380-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1380-61-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/1756-58-0x0000000000000000-mapping.dmp
-
memory/2020-55-0x0000000000000000-mapping.dmp