830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901

General

Target

830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
Size

12KB
MD5

2b02f3cc9e5ff3fed55914378bd3e61d
SHA1

5d8798ed6581e09b973d30086dbdf99fac3347bd
SHA256

830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901
SHA512

ddd9691b96a711637f4b429a1ead879a864b7c6c816de4d532a6c0c47fa7ac675bc6cf9f2b9e51c5c534dbb90cd44c4b6bf1faba9ecc75d6efd56e81403d2268
SSDEEP

192:7A+yNB0HHwSgaIVr53eDmiiqGsf0LEG85YcvV1:7AxNGHH8953eDmindf0LEGkYcvV1

Score

8^/10

discovery evasion exploit persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4292 takeown.exe
2312 icacls.exe
2720 takeown.exe
3256 icacls.exe

pid	process
4292	takeown.exe
2312	icacls.exe
2720	takeown.exe
3256	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2720 takeown.exe
3256 icacls.exe
4292 takeown.exe
2312 icacls.exe

pid	process
2720	takeown.exe
3256	icacls.exe
4292	takeown.exe
2312	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrowserManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe"	830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetakeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 4292 takeown.exe
Token: SeTakeOwnershipPrivilege 2720 takeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4292	takeown.exe
Token: SeTakeOwnershipPrivilege	2720	takeown.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.execmd.exe

description	pid	process	target process
PID 5060 wrote to memory of 2292	5060	830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe	cmd.exe
PID 5060 wrote to memory of 2292	5060	830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe	cmd.exe
PID 5060 wrote to memory of 2292	5060	830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe	cmd.exe
PID 2292 wrote to memory of 4292	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 4292	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 4292	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2312	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2312	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2312	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 2720	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2720	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 2720	2292	cmd.exe	takeown.exe
PID 2292 wrote to memory of 3256	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 3256	2292	cmd.exe	icacls.exe
PID 2292 wrote to memory of 3256	2292	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
"C:\Users\Admin\AppData\Local\Temp\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2312

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-136-0x0000000000000000-mapping.dmp

Download
memory/2312-138-0x0000000000000000-mapping.dmp

Download
memory/2720-139-0x0000000000000000-mapping.dmp

Download
memory/3256-140-0x0000000000000000-mapping.dmp

Download
memory/4292-137-0x0000000000000000-mapping.dmp

Download
memory/5060-132-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/5060-133-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/5060-134-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/5060-135-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads