3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0

Analysis

max time kernel
112s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe
Size

27KB
MD5

73efb6d5e1bd353f728913cdd72c14a0
SHA1

a4be1e799a7fb79086f6c8dedbfe6176123a5366
SHA256

3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0
SHA512

3e4d1ee8785e6664b97c61d3591aa7bd9aad7f184fc8f204f9eded04e4b1d26b37f7c5b3faac4fd867c71218be096d6e2a0d35bf7e578fdd2c44398dc5fef521
SSDEEP

768:eyHKmM0qauedFQFtxTXKXAx6ZQgZOgRTc7D:ebmMyTcTXfxhgZzT

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

5072 takeown.exe
4260 icacls.exe
Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.bat cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

5072 takeown.exe
4260 icacls.exe

pid	process
5072	takeown.exe
4260	icacls.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.bat	cmd.exe

pid	process
5072	takeown.exe
4260	icacls.exe

Modifies registry class 8 IoCs

Processes:

cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "worm"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp3\ = "worm"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "worm"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txt\ = "worm"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 5072 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5072	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.execmd.exe

description	pid	process	target process
PID 5080 wrote to memory of 4516	5080	3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe	cmd.exe
PID 5080 wrote to memory of 4516	5080	3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe	cmd.exe
PID 5080 wrote to memory of 4516	5080	3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe	cmd.exe
PID 4516 wrote to memory of 5072	4516	cmd.exe	takeown.exe
PID 4516 wrote to memory of 5072	4516	cmd.exe	takeown.exe
PID 4516 wrote to memory of 5072	4516	cmd.exe	takeown.exe
PID 4516 wrote to memory of 4260	4516	cmd.exe	icacls.exe
PID 4516 wrote to memory of 4260	4516	cmd.exe	icacls.exe
PID 4516 wrote to memory of 4260	4516	cmd.exe	icacls.exe
PID 4516 wrote to memory of 4916	4516	cmd.exe	attrib.exe
PID 4516 wrote to memory of 4916	4516	cmd.exe	attrib.exe
PID 4516 wrote to memory of 4916	4516	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4916 attrib.exe

pid	process
4916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe
"C:\Users\Admin\AppData\Local\Temp\3b6fae2c9deed9e65e2a52d0d28d9ce8563a4316bfd62676d58d5b12dcfa47c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B1D0.tmp\work.bat""
2⤵
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\takeown.exe
takeown /f "explorer.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\icacls.exe
icacls "explorer.exe" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4260

C:\Windows\SysWOW64\attrib.exe
attrib -s -h "explorer.exe"
3⤵
- Views/modifies file attributes
PID:4916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B1D0.tmp\work.bat
Filesize
645B

MD5
e1abbe347c9d05e587b6496d94531cf4

SHA1
d5777fe403734cb56a51cfa1b0f3c42d5d76e946

SHA256
c03f85f17bb8b4804908374546e0cb8ea812890c6c267f5e63dbd7ad14c35519

SHA512
ffe8aca1718854ae7f9bf5811fb527522c1e7cc6b76fec809ae2bff08b729abe8ddf952b5fe44ba677443c4caea523ae8334f7bace4bf8e110dbe3511a391f65

Download Submit
memory/4260-136-0x0000000000000000-mapping.dmp

Download
memory/4516-133-0x0000000000000000-mapping.dmp

Download
memory/4916-137-0x0000000000000000-mapping.dmp

Download
memory/5072-135-0x0000000000000000-mapping.dmp

Download
memory/5080-132-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5080-138-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download