Analysis
-
max time kernel
112s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe
Resource
win7-20220901-en
General
-
Target
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe
-
Size
27KB
-
MD5
73efb6d5e1bd353f728913cdd72c14a0
-
SHA1
a4be1e799a7fb79086f6c8dedbfe6176123a5366
-
SHA256
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0
-
SHA512
3e4d1ee8785e6664b97c61d3591aa7bd9aad7f184fc8f204f9eded04e4b1d26b37f7c5b3faac4fd867c71218be096d6e2a0d35bf7e578fdd2c44398dc5fef521
-
SSDEEP
768:eyHKmM0qauedFQFtxTXKXAx6ZQgZOgRTc7D:ebmMyTcTXfxhgZzT
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 5072 takeown.exe 4260 icacls.exe -
Drops startup file 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.bat cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 5072 takeown.exe 4260 icacls.exe -
Modifies registry class 8 IoCs
Processes:
cmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.exe cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "worm" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 5072 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.execmd.exedescription pid process target process PID 5080 wrote to memory of 4516 5080 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 5080 wrote to memory of 4516 5080 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 5080 wrote to memory of 4516 5080 3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe cmd.exe PID 4516 wrote to memory of 5072 4516 cmd.exe takeown.exe PID 4516 wrote to memory of 5072 4516 cmd.exe takeown.exe PID 4516 wrote to memory of 5072 4516 cmd.exe takeown.exe PID 4516 wrote to memory of 4260 4516 cmd.exe icacls.exe PID 4516 wrote to memory of 4260 4516 cmd.exe icacls.exe PID 4516 wrote to memory of 4260 4516 cmd.exe icacls.exe PID 4516 wrote to memory of 4916 4516 cmd.exe attrib.exe PID 4516 wrote to memory of 4916 4516 cmd.exe attrib.exe PID 4516 wrote to memory of 4916 4516 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe"C:\Users\Admin\AppData\Local\Temp\3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1D0.tmp\work.bat""2⤵
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "explorer.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "explorer.exe" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "explorer.exe"3⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B1D0.tmp\work.batFilesize
645B
MD5e1abbe347c9d05e587b6496d94531cf4
SHA1d5777fe403734cb56a51cfa1b0f3c42d5d76e946
SHA256c03f85f17bb8b4804908374546e0cb8ea812890c6c267f5e63dbd7ad14c35519
SHA512ffe8aca1718854ae7f9bf5811fb527522c1e7cc6b76fec809ae2bff08b729abe8ddf952b5fe44ba677443c4caea523ae8334f7bace4bf8e110dbe3511a391f65
-
memory/4260-136-0x0000000000000000-mapping.dmp
-
memory/4516-133-0x0000000000000000-mapping.dmp
-
memory/4916-137-0x0000000000000000-mapping.dmp
-
memory/5072-135-0x0000000000000000-mapping.dmp
-
memory/5080-132-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/5080-138-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB