Analysis
-
max time kernel
159s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 16:59
Static task
static1
Behavioral task
behavioral1
Sample
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe
Resource
win7-20221111-en
General
-
Target
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe
-
Size
134KB
-
MD5
cf174472200c2c0205782d352735b594
-
SHA1
1e462e8c90aaec05f6dfbb3d91e5b8e5fd610517
-
SHA256
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9
-
SHA512
3293c8eb7d5515e100c17febebab81065f474d82b314e1cdc0e65d3a4aea789ecf412ca0807e5a2ba518593697bfe1547553133696c8c7c1a21662a31a4be3c8
-
SSDEEP
3072:kV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPLipC+r:Jt5hBPi0BW69hd1MMdxPe9N9uA069TBc
Malware Config
Signatures
-
Possible privilege escalation attempt 20 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 2676 takeown.exe 1432 takeown.exe 4684 icacls.exe 5016 takeown.exe 5088 icacls.exe 3720 icacls.exe 1676 takeown.exe 1692 icacls.exe 308 takeown.exe 3112 takeown.exe 4156 takeown.exe 4276 icacls.exe 1120 icacls.exe 4136 icacls.exe 4296 takeown.exe 1392 takeown.exe 1468 icacls.exe 3236 icacls.exe 3608 icacls.exe 3864 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe -
Modifies file permissions 1 TTPs 20 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 4276 icacls.exe 5088 icacls.exe 1676 takeown.exe 1692 icacls.exe 3236 icacls.exe 3864 takeown.exe 5016 takeown.exe 4156 takeown.exe 1392 takeown.exe 308 takeown.exe 4684 icacls.exe 1120 icacls.exe 1432 takeown.exe 1468 icacls.exe 4296 takeown.exe 3720 icacls.exe 2676 takeown.exe 3112 takeown.exe 3608 icacls.exe 4136 icacls.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Boot\EFI\hr-HR\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\nb-NO\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\pt-BR\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\it-IT\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\EFI\tr-TR\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\malgun_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\ru-RU\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\de-DE\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\ja-JP\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\memtest.efi cmd.exe File opened for modification C:\Windows\Boot\EFI\pt-BR\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\ru-RU\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\sv-SE\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\Misc\PCAT\bootspaces.dll cmd.exe File opened for modification C:\Windows\Boot\PCAT\it-IT\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\etfsboot.com cmd.exe File opened for modification C:\Windows\Boot\EFI\tr-TR\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\ko-KR\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\ru-RU\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\zh-CN\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\bootmgr cmd.exe File opened for modification C:\Windows\Boot\PCAT\ja-JP\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\tr-TR\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\lv-LV\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\zh-CN\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\malgunn_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\sr-Latn-RS\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\Resources\en-US\bootres.dll.mui cmd.exe File opened for modification C:\Windows\Boot\Resources\ja-JP\bootres.dll.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\EFI\de-DE\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\en-US\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\es-ES\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\zh-TW\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\en-US\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\EFI\kd_02_14e4.dll cmd.exe File opened for modification C:\Windows\Boot\EFI\kd_0C_8086.dll cmd.exe File opened for modification C:\Windows\Boot\EFI\sr-Latn-RS\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\sv-SE\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\ja-JP\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\sv-SE\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\jpn_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\pt-PT\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\zh-TW\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\EFI\en-US\memtest.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\es-ES\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\pt-BR\memtest.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\fr-CA\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\kd_02_19a2.dll cmd.exe File opened for modification C:\Windows\Boot\EFI\pt-PT\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\Fonts\cht_boot.ttf cmd.exe File opened for modification C:\Windows\Boot\PCAT\pl-PL\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\bootnxt cmd.exe File opened for modification C:\Windows\Boot\EFI\et-EE\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\uk-UA\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\hu-HU\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\uk-UA\bootmgr.exe.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\fr-FR\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\ro-RO\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui cmd.exe File opened for modification C:\Windows\Boot\EFI\zh-TW\bootmgr.efi.mui cmd.exe File opened for modification C:\Windows\Boot\PCAT\bootuwf.dll cmd.exe File opened for modification C:\Windows\Boot\PCAT\fr-FR\bootmgr.exe.mui cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4156 takeown.exe Token: SeTakeOwnershipPrivilege 1392 takeown.exe Token: SeTakeOwnershipPrivilege 2676 takeown.exe Token: SeTakeOwnershipPrivilege 1676 takeown.exe Token: SeTakeOwnershipPrivilege 1432 takeown.exe Token: SeTakeOwnershipPrivilege 308 takeown.exe Token: SeTakeOwnershipPrivilege 3112 takeown.exe Token: SeTakeOwnershipPrivilege 3864 takeown.exe Token: SeTakeOwnershipPrivilege 5016 takeown.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.execmd.exedescription pid process target process PID 2500 wrote to memory of 1552 2500 c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe cmd.exe PID 2500 wrote to memory of 1552 2500 c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe cmd.exe PID 1552 wrote to memory of 4156 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 4156 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 4276 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 4276 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 4296 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 4296 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 5088 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 5088 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 1392 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 1392 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 3720 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 3720 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 2676 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 2676 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 1120 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 1120 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 1676 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 1676 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 1692 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 1692 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 1432 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 1432 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 1468 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 1468 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 308 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 308 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 3236 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 3236 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 3112 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 3112 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 3608 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 3608 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 3864 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 3864 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 4684 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 4684 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 5016 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 5016 1552 cmd.exe takeown.exe PID 1552 wrote to memory of 4136 1552 cmd.exe icacls.exe PID 1552 wrote to memory of 4136 1552 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D372.tmp\D373.tmp\D374.bat C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl "C:\Windows\Boot"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Boot" /t /c /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\bfsvc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\kernel32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\advapi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\user32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\gdi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\win32k.sys"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntdll.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\hall.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D372.tmp\D373.tmp\D374.batFilesize
1KB
MD5e666a33a40b3660f6f1ac5ce390d856a
SHA19ae70be123a8a7837c314030c06202ee61cbf52e
SHA2568c50b2f52383a41d0186436281f4f804144ef1dcd12dd638840e32d4cc2c6488
SHA51269c59de096b6ebc30629b8d63a8fab1870e3a466c8d36edd31384ed6f0c19e50b17ed56b9779960513a2da2a9dedde4d27e755bb084499220fda719dfb74be5d
-
memory/308-147-0x0000000000000000-mapping.dmp
-
memory/1120-142-0x0000000000000000-mapping.dmp
-
memory/1392-139-0x0000000000000000-mapping.dmp
-
memory/1432-145-0x0000000000000000-mapping.dmp
-
memory/1468-146-0x0000000000000000-mapping.dmp
-
memory/1552-133-0x0000000000000000-mapping.dmp
-
memory/1676-143-0x0000000000000000-mapping.dmp
-
memory/1692-144-0x0000000000000000-mapping.dmp
-
memory/2676-141-0x0000000000000000-mapping.dmp
-
memory/3112-149-0x0000000000000000-mapping.dmp
-
memory/3236-148-0x0000000000000000-mapping.dmp
-
memory/3608-150-0x0000000000000000-mapping.dmp
-
memory/3720-140-0x0000000000000000-mapping.dmp
-
memory/3864-151-0x0000000000000000-mapping.dmp
-
memory/4136-154-0x0000000000000000-mapping.dmp
-
memory/4156-135-0x0000000000000000-mapping.dmp
-
memory/4276-136-0x0000000000000000-mapping.dmp
-
memory/4296-137-0x0000000000000000-mapping.dmp
-
memory/4684-152-0x0000000000000000-mapping.dmp
-
memory/5016-153-0x0000000000000000-mapping.dmp
-
memory/5088-138-0x0000000000000000-mapping.dmp