Analysis
-
max time kernel
61s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2022 10:49
Static task
static1
Behavioral task
behavioral1
Sample
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
Resource
win7-20220812-en
General
-
Target
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
-
Size
95KB
-
MD5
2dbb19618eb730077e80a26464602444
-
SHA1
f3b9459d2b8a37564b7c3c362eaad80eb52ce51c
-
SHA256
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671
-
SHA512
27422a042422611d697a31e2d1adb1f3a2c352c41dcd98ef99dd90d2a356504ffa635f9b19e8a6ed93a7d8e1651d47f2bf9e8947e081322f7e9d96ce9d4a75cc
-
SSDEEP
768:nCZJPEBGc8Kg0jIRbw4+UA3dKNE5oZTiU4oOBhUT7SV3h0A9U8tnuDst1sXXtYcX:APEJ879bwBTR1sXvwVcl
Malware Config
Signatures
-
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1396 takeown.exe 1996 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1396 takeown.exe 1996 icacls.exe -
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exedescription ioc process File opened for modification \??\PhysicalDrive0 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Globalization\ICU\icudtl.dat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exedescription pid process Token: SeDebugPrivilege 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe Token: SeDebugPrivilege 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.execmd.execmd.exedescription pid process target process PID 4100 wrote to memory of 4640 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 4640 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 3548 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 3548 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 3504 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 3504 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 540 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4100 wrote to memory of 540 4100 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe cmd.exe PID 4640 wrote to memory of 1396 4640 cmd.exe takeown.exe PID 4640 wrote to memory of 1396 4640 cmd.exe takeown.exe PID 3504 wrote to memory of 2960 3504 cmd.exe rundll32.exe PID 3504 wrote to memory of 2960 3504 cmd.exe rundll32.exe PID 4640 wrote to memory of 1996 4640 cmd.exe icacls.exe PID 4640 wrote to memory of 1996 4640 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe"C:\Users\Admin\AppData\Local\Temp\73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4100 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\ && icacls C:\ /grant2⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\system32\takeown.exetakeown /f C:\3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396 -
C:\Windows\system32\icacls.exeicacls C:\ /grant3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k del C:\Windows\Fonts\ *.* /s /q2⤵PID:3548
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k rundll32 user32 , SwapMouseButton2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\rundll32.exerundll32 user32 , SwapMouseButton3⤵PID:2960
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color a && del C:\Windows /s /q /f2⤵
- Drops file in Windows directory
PID:540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/540-138-0x0000000000000000-mapping.dmp
-
memory/1396-139-0x0000000000000000-mapping.dmp
-
memory/1996-141-0x0000000000000000-mapping.dmp
-
memory/2960-140-0x0000000000000000-mapping.dmp
-
memory/3504-137-0x0000000000000000-mapping.dmp
-
memory/3548-136-0x0000000000000000-mapping.dmp
-
memory/4100-132-0x00000000004A0000-0x00000000004BC000-memory.dmpFilesize
112KB
-
memory/4100-133-0x00007FF984A20000-0x00007FF9854E1000-memory.dmpFilesize
10.8MB
-
memory/4100-134-0x00007FF984A20000-0x00007FF9854E1000-memory.dmpFilesize
10.8MB
-
memory/4640-135-0x0000000000000000-mapping.dmp