Resubmissions
16-01-2023 16:45
230116-t9wr4saa48 816-01-2023 16:39
230116-t6b9ashh87 816-01-2023 16:37
230116-t44wjadh4w 816-01-2023 16:28
230116-ty4nkshg85 816-01-2023 16:27
230116-tx48qahg72 816-01-2023 16:22
230116-tvf34shg39 8Analysis
-
max time kernel
13s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16-01-2023 16:37
Static task
static1
General
-
Target
Bonzify.exe
-
Size
6.4MB
-
MD5
fba93d8d029e85e0cde3759b7903cee2
-
SHA1
525b1aa549188f4565c75ab69e51f927204ca384
-
SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
-
SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
SSDEEP
196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 948 takeown.exe 1696 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 948 takeown.exe 1696 icacls.exe -
Drops file in Windows directory 1 IoCs
Processes:
Bonzify.exedescription ioc process File created C:\Windows\executables.bin Bonzify.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1108 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1108 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Bonzify.execmd.exedescription pid process target process PID 1096 wrote to memory of 1472 1096 Bonzify.exe cmd.exe PID 1096 wrote to memory of 1472 1096 Bonzify.exe cmd.exe PID 1096 wrote to memory of 1472 1096 Bonzify.exe cmd.exe PID 1096 wrote to memory of 1472 1096 Bonzify.exe cmd.exe PID 1472 wrote to memory of 1108 1472 cmd.exe taskkill.exe PID 1472 wrote to memory of 1108 1472 cmd.exe taskkill.exe PID 1472 wrote to memory of 1108 1472 cmd.exe taskkill.exe PID 1472 wrote to memory of 1108 1472 cmd.exe taskkill.exe PID 1472 wrote to memory of 948 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 948 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 948 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 948 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 1696 1472 cmd.exe icacls.exe PID 1472 wrote to memory of 1696 1472 cmd.exe icacls.exe PID 1472 wrote to memory of 1696 1472 cmd.exe icacls.exe PID 1472 wrote to memory of 1696 1472 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bonzify.exe"C:\Users\Admin\AppData\Local\Temp\Bonzify.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KillAgent.batFilesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
memory/948-58-0x0000000000000000-mapping.dmp
-
memory/1096-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1108-57-0x0000000000000000-mapping.dmp
-
memory/1472-55-0x0000000000000000-mapping.dmp
-
memory/1696-59-0x0000000000000000-mapping.dmp