Analysis
-
max time kernel
40s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-04-2023 05:35
Static task
static1
Behavioral task
behavioral1
Sample
BONZIFY.exe
Resource
win7-20230220-en
General
-
Target
BONZIFY.exe
-
Size
6.4MB
-
MD5
fba93d8d029e85e0cde3759b7903cee2
-
SHA1
525b1aa549188f4565c75ab69e51f927204ca384
-
SHA256
66f62408dfce7c4a5718d2759f1d35721ca22077398850277d16e1fca87fe764
-
SHA512
7c1441b2e804e925eb5a03e97db620117d3ad4f6981dc020e4e7df4bfc4bd6e414fa3b0ce764481a2cef07eebb2baa87407355bfbe88fab96397d82bd441e6a2
-
SSDEEP
196608:adAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:OaWedh+Idx75QYub//73lc6u7bLMYxD
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1240 takeown.exe 1696 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1240 takeown.exe 1696 icacls.exe -
Drops file in Windows directory 1 IoCs
Processes:
BONZIFY.exedescription ioc process File created C:\Windows\executables.bin BONZIFY.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1956 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1956 taskkill.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
BONZIFY.execmd.exedescription pid process target process PID 2024 wrote to memory of 2012 2024 BONZIFY.exe cmd.exe PID 2024 wrote to memory of 2012 2024 BONZIFY.exe cmd.exe PID 2024 wrote to memory of 2012 2024 BONZIFY.exe cmd.exe PID 2024 wrote to memory of 2012 2024 BONZIFY.exe cmd.exe PID 2012 wrote to memory of 1956 2012 cmd.exe taskkill.exe PID 2012 wrote to memory of 1956 2012 cmd.exe taskkill.exe PID 2012 wrote to memory of 1956 2012 cmd.exe taskkill.exe PID 2012 wrote to memory of 1956 2012 cmd.exe taskkill.exe PID 2012 wrote to memory of 1240 2012 cmd.exe takeown.exe PID 2012 wrote to memory of 1240 2012 cmd.exe takeown.exe PID 2012 wrote to memory of 1240 2012 cmd.exe takeown.exe PID 2012 wrote to memory of 1240 2012 cmd.exe takeown.exe PID 2012 wrote to memory of 1696 2012 cmd.exe icacls.exe PID 2012 wrote to memory of 1696 2012 cmd.exe icacls.exe PID 2012 wrote to memory of 1696 2012 cmd.exe icacls.exe PID 2012 wrote to memory of 1696 2012 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BONZIFY.exe"C:\Users\Admin\AppData\Local\Temp\BONZIFY.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\KillAgent.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AgentSvr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /r /d y /f C:\Windows\MsAgent3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\MsAgent /c /t /grant "everyone":(f)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\KillAgent.batFilesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0
-
C:\Users\Admin\AppData\Local\Temp\KillAgent.batFilesize
161B
MD5ea7df060b402326b4305241f21f39736
SHA17d58fb4c58e0edb2ddceef4d21581ff9d512fdc2
SHA256e4edc2cb6317ab19ee1a6327993e9332af35cfbebaff2ac7c3f71d43cfcbe793
SHA5123147615add5608d0dce7a8b6efbfb19263c51a2e495df72abb67c6db34f5995a27fde55b5af78bbd5a6468b4065942cad4a4d3cb28ab932aad9b0f835aafe4d0