Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 19:31
Static task
static1
Behavioral task
behavioral1
Sample
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
Resource
win10v2004-20220901-en
General
-
Target
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
-
Size
12KB
-
MD5
2b02f3cc9e5ff3fed55914378bd3e61d
-
SHA1
5d8798ed6581e09b973d30086dbdf99fac3347bd
-
SHA256
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901
-
SHA512
ddd9691b96a711637f4b429a1ead879a864b7c6c816de4d532a6c0c47fa7ac675bc6cf9f2b9e51c5c534dbb90cd44c4b6bf1faba9ecc75d6efd56e81403d2268
-
SSDEEP
192:7A+yNB0HHwSgaIVr53eDmiiqGsf0LEG85YcvV1:7AxNGHH8953eDmindf0LEGkYcvV1
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1800 takeown.exe 1540 icacls.exe 1796 takeown.exe 1416 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1540 icacls.exe 1796 takeown.exe 1416 icacls.exe 1800 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\BrowserManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe" 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1800 takeown.exe Token: SeTakeOwnershipPrivilege 1796 takeown.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.execmd.exedescription pid process target process PID 1460 wrote to memory of 112 1460 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 1460 wrote to memory of 112 1460 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 1460 wrote to memory of 112 1460 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 1460 wrote to memory of 112 1460 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 112 wrote to memory of 1800 112 cmd.exe takeown.exe PID 112 wrote to memory of 1800 112 cmd.exe takeown.exe PID 112 wrote to memory of 1800 112 cmd.exe takeown.exe PID 112 wrote to memory of 1800 112 cmd.exe takeown.exe PID 112 wrote to memory of 1540 112 cmd.exe icacls.exe PID 112 wrote to memory of 1540 112 cmd.exe icacls.exe PID 112 wrote to memory of 1540 112 cmd.exe icacls.exe PID 112 wrote to memory of 1540 112 cmd.exe icacls.exe PID 112 wrote to memory of 1796 112 cmd.exe takeown.exe PID 112 wrote to memory of 1796 112 cmd.exe takeown.exe PID 112 wrote to memory of 1796 112 cmd.exe takeown.exe PID 112 wrote to memory of 1796 112 cmd.exe takeown.exe PID 112 wrote to memory of 1416 112 cmd.exe icacls.exe PID 112 wrote to memory of 1416 112 cmd.exe icacls.exe PID 112 wrote to memory of 1416 112 cmd.exe icacls.exe PID 112 wrote to memory of 1416 112 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe"C:\Users\Admin\AppData\Local\Temp\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-56-0x0000000000000000-mapping.dmp
-
memory/1416-60-0x0000000000000000-mapping.dmp
-
memory/1460-54-0x0000000000A90000-0x0000000000A98000-memory.dmpFilesize
32KB
-
memory/1460-55-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/1540-58-0x0000000000000000-mapping.dmp
-
memory/1796-59-0x0000000000000000-mapping.dmp
-
memory/1800-57-0x0000000000000000-mapping.dmp