88a813208d1e99a14e14768084282800bdb764a23e2044a132f612bbf1479de7 | Triage

Analysis

max time kernel
3s
max time network
3s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 03:00

Sharing

Report Analysis Logs

General

Target

InstallTakeOwnership.reg
Size

3KB
MD5

639fa604171d59ce1a3be6834360cd01
SHA1

643dfbb563e9580b707201c195e8fefc1b35f998
SHA256

88a813208d1e99a14e14768084282800bdb764a23e2044a132f612bbf1479de7
SHA512

d193710659c9f98b9fe5b2d20a7eec06df666a6b5e97794ab52bd298d922465f58f7d8121ff1e9fc1518e0a389cd748588009258ba55c993bd5ae7dae30d79a9

Score

1^/10

Malware Config

Signatures

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeOwnership\NoWorkingDirectory	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\AppliesTo = "NOT (System.ItemPathDisplay:=\"C:\\Users\" OR System.ItemPathDisplay:=\"C:\\ProgramData\" OR System.ItemPathDisplay:=\"C:\\Windows\" OR System.ItemPathDisplay:=\"C:\\Windows\\System32\" OR System.ItemPathDisplay:=\"C:\\Program Files\" OR System.ItemPathDisplay:=\"C:\\Program Files (x86)\")"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\command\IsolatedCommand = "powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d y && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l /q' -Verb runAs\""	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeOwnership\ = "Take Ownership"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeOwnership\HasLUAShield	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\ = "Take Ownership"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\HasLUAShield	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\NoWorkingDirectory	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\command\ = "powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" /r /d y && icacls \\\"%1\\\" /grant *S-1-3-4:F /t /c /l /q' -Verb runAs\""	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeOwnership	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeOwnership\Position = "middle"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\\shell\TakeOwnership\command\IsolatedCommand = "powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" && icacls \\\"%1\\\" /grant S-1-3-4:F /t /c /l' -Verb runAs\""	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership\Position = "middle"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\TakeOwnership	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\TakeOwnership\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\\shell\TakeOwnership\command\ = "powershell -windowstyle hidden -command \"Start-Process cmd -ArgumentList '/c takeown /f \\\"%1\\\" && icacls \\\"%1\\\" /grant S-1-3-4:F /t /c /l' -Verb runAs\""	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2292	regedit.exe

C:\Windows\regedit.exe
regedit.exe "C:\Users\Admin\AppData\Local\Temp\InstallTakeOwnership.reg"
1⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-54-0x0000000001B40000-0x0000000001B41000-memory.dmp

Filesize
4KB

Download