c3c08b94e956165562366c14e6ace4a5fe4c66edb0e47628ad94883e02f719ce

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/01/2024, 19:12 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hzejkkd.exe
Size

261KB
MD5

6433e88c2c73b93e935c74e650fee81d
SHA1

4293beea2045cf34746a003ebe779f2302a177f5
SHA256

f16e83d67d23cae50e5c0b8881ff8206e4e73b026229396615d0b8bd2caec7b0
SHA512

f3f1d02345034397ee5e7866ec9d3638f054e4395fe82cbf79bf10e0062ae70bce4d50ffeff018392f85b4799e3bd715780b670606a1decfbe34899805563db7
SSDEEP

6144:C4KYr8wAStrwb6E/HtFdbr0vv5R2AJXN5WeSmkMud50:C4Ltrwb6E/HtFdbr0vv5RByeaMud5

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2728	takeown.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 2128	2124	hzejkkd.exe	29
PID 2128 set thread context of 1224	2128	hzejkkd.exe	11
PID 2128 set thread context of 2728	2128	hzejkkd.exe	32
PID 2728 set thread context of 1224	2728	takeown.exe	11

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2128	hzejkkd.exe
2128	hzejkkd.exe
2128	hzejkkd.exe
2128	hzejkkd.exe
2128	hzejkkd.exe
2128	hzejkkd.exe
2128	hzejkkd.exe
2128	hzejkkd.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe
2728	takeown.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2124	hzejkkd.exe
2128	hzejkkd.exe
1224	Explorer.EXE
1224	Explorer.EXE
2728	takeown.exe
2728	takeown.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2128	2124	hzejkkd.exe	29
PID 2124 wrote to memory of 2128	2124	hzejkkd.exe	29
PID 2124 wrote to memory of 2128	2124	hzejkkd.exe	29
PID 2124 wrote to memory of 2128	2124	hzejkkd.exe	29
PID 2124 wrote to memory of 2128	2124	hzejkkd.exe	29
PID 1224 wrote to memory of 2728	1224	Explorer.EXE	32
PID 1224 wrote to memory of 2728	1224	Explorer.EXE	32
PID 1224 wrote to memory of 2728	1224	Explorer.EXE	32
PID 1224 wrote to memory of 2728	1224	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe
  "C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe
    "C:\Users\Admin\AppData\Local\Temp\hzejkkd.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2128
- C:\Windows\SysWOW64\takeown.exe
  "C:\Windows\SysWOW64\takeown.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1224-11-0x0000000008C30000-0x0000000009D94000-memory.dmp

Filesize
17.4MB

Download
memory/1224-20-0x0000000008C30000-0x0000000009D94000-memory.dmp

Filesize
17.4MB

Download
memory/2124-3-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2124-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2128-16-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/2128-4-0x0000000000780000-0x0000000000A83000-memory.dmp

Filesize
3.0MB

Download
memory/2128-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-10-0x00000000002A0000-0x00000000002BE000-memory.dmp

Filesize
120KB

Download
memory/2128-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-1-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2128-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2728-12-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2728-17-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/2728-18-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2728-19-0x00000000004E0000-0x000000000057D000-memory.dmp

Filesize
628KB

Download
memory/2728-13-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2728-21-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/2728-22-0x00000000004E0000-0x000000000057D000-memory.dmp

Filesize
628KB

Download