73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671

General

Target

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
Size

95KB
MD5

2dbb19618eb730077e80a26464602444
SHA1

f3b9459d2b8a37564b7c3c362eaad80eb52ce51c
SHA256

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671
SHA512

27422a042422611d697a31e2d1adb1f3a2c352c41dcd98ef99dd90d2a356504ffa635f9b19e8a6ed93a7d8e1651d47f2bf9e8947e081322f7e9d96ce9d4a75cc
SSDEEP

768:nCZJPEBGc8Kg0jIRbw4+UA3dKNE5oZTiU4oOBhUT7SV3h0A9U8tnuDst1sXXtYcX:APEJ879bwBTR1sXvwVcl

Score

10^/10

bootkit discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1308 takeown.exe
268 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1308 takeown.exe
268 icacls.exe

pid	process
1308	takeown.exe
268	icacls.exe

pid	process
1308	takeown.exe
268	icacls.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

description ioc process

File opened for modification \??\PhysicalDrive0 73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
Drops file in System32 directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\aqdvs4.exe cmd.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

description	ioc	process
File opened for modification	C:\Windows\System32\aqdvs4.exe	cmd.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~4	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WPFGFX~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\INKDIV~1.8F0	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\RTSCOM~1.997	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_BB64~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIA3D3~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_C9E2~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\UL_MSV~3.98C	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.MUI	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI99F2~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_BA02~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~1.MUI	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PR2008~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_8C6C~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~2	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~4	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_EA13~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_038A~1	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_31C8~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WINDOW~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\GABRIOLA.TTF	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_E61E~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PR5A6B~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_4725~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\UL_MSV~2.98C	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PR7598~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A206~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI3EAD~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PEC8F5~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~4	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_7457~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SECSTO~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~3	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYC1DA~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PE3AC5~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SY59D2~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WPFGFX~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A468~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~2	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_B2C0~1	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

description	pid	process
Token: SeDebugPrivilege	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
Token: SeDebugPrivilege	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.execmd.execmd.exe

description	pid	process	target process
PID 1088 wrote to memory of 1676	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1676	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1676	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1800	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1800	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1800	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	takeown.exe
PID 1676 wrote to memory of 1308	1676	cmd.exe	takeown.exe
PID 1088 wrote to memory of 1816	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1816	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 1816	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 2040	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 2040	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1088 wrote to memory of 2040	1088	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe	cmd.exe
PID 1816 wrote to memory of 764	1816	cmd.exe	rundll32.exe
PID 1816 wrote to memory of 764	1816	cmd.exe	rundll32.exe
PID 1816 wrote to memory of 764	1816	cmd.exe	rundll32.exe
PID 1676 wrote to memory of 268	1676	cmd.exe	icacls.exe
PID 1676 wrote to memory of 268	1676	cmd.exe	icacls.exe
PID 1676 wrote to memory of 268	1676	cmd.exe	icacls.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe

C:\Users\Admin\AppData\Local\Temp\73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe
"C:\Users\Admin\AppData\Local\Temp\73b403c8d238607970c95def5547d014fa246266a9f584d6c563981a639ea671.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\ && icacls C:\ /grant
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\takeown.exe
takeown /f C:\
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1308

C:\Windows\system32\icacls.exe
icacls C:\ /grant
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k del C:\Windows\Fonts\ *.* /s /q
2⤵
PID:1800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k rundll32 user32 , SwapMouseButton
2⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\rundll32.exe
rundll32 user32 , SwapMouseButton
3⤵
PID:764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k color a && del C:\Windows /s /q /f
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-63-0x0000000000000000-mapping.dmp

Download
memory/764-62-0x0000000000000000-mapping.dmp

Download
memory/1088-54-0x0000000001350000-0x000000000136C000-memory.dmp

Filesize
112KB

Download
memory/1088-55-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1088-58-0x0000000000B96000-0x0000000000BB5000-memory.dmp

Filesize
124KB

Download
memory/1088-64-0x0000000000B96000-0x0000000000BB5000-memory.dmp

Filesize
124KB

Download
memory/1308-59-0x0000000000000000-mapping.dmp

Download
memory/1676-56-0x0000000000000000-mapping.dmp

Download
memory/1800-57-0x0000000000000000-mapping.dmp

Download
memory/1816-60-0x0000000000000000-mapping.dmp

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads