Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2023 19:31
Static task
static1
Behavioral task
behavioral1
Sample
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
Resource
win10v2004-20220901-en
General
-
Target
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe
-
Size
12KB
-
MD5
2b02f3cc9e5ff3fed55914378bd3e61d
-
SHA1
5d8798ed6581e09b973d30086dbdf99fac3347bd
-
SHA256
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901
-
SHA512
ddd9691b96a711637f4b429a1ead879a864b7c6c816de4d532a6c0c47fa7ac675bc6cf9f2b9e51c5c534dbb90cd44c4b6bf1faba9ecc75d6efd56e81403d2268
-
SSDEEP
192:7A+yNB0HHwSgaIVr53eDmiiqGsf0LEG85YcvV1:7AxNGHH8953eDmindf0LEGkYcvV1
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4292 takeown.exe 2312 icacls.exe 2720 takeown.exe 3256 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2720 takeown.exe 3256 icacls.exe 4292 takeown.exe 2312 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrowserManager = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe" 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4292 takeown.exe Token: SeTakeOwnershipPrivilege 2720 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.execmd.exedescription pid process target process PID 5060 wrote to memory of 2292 5060 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 5060 wrote to memory of 2292 5060 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 5060 wrote to memory of 2292 5060 830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe cmd.exe PID 2292 wrote to memory of 4292 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 4292 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 4292 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2312 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2312 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2312 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 2720 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2720 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 2720 2292 cmd.exe takeown.exe PID 2292 wrote to memory of 3256 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 3256 2292 cmd.exe icacls.exe PID 2292 wrote to memory of 3256 2292 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe"C:\Users\Admin\AppData\Local\Temp\830e263bd2cb32339586ba47a3f7a7c98dfca64557f701f2bcea1f768fd3e901.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2292-136-0x0000000000000000-mapping.dmp
-
memory/2312-138-0x0000000000000000-mapping.dmp
-
memory/2720-139-0x0000000000000000-mapping.dmp
-
memory/3256-140-0x0000000000000000-mapping.dmp
-
memory/4292-137-0x0000000000000000-mapping.dmp
-
memory/5060-132-0x0000000000AE0000-0x0000000000AE8000-memory.dmpFilesize
32KB
-
memory/5060-133-0x0000000005A30000-0x0000000005FD4000-memory.dmpFilesize
5.6MB
-
memory/5060-134-0x0000000005520000-0x00000000055B2000-memory.dmpFilesize
584KB
-
memory/5060-135-0x00000000054B0000-0x00000000054BA000-memory.dmpFilesize
40KB