Analysis
-
max time kernel
147s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 00:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afd2aca2c6d426ad714dca52527dcb09.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
afd2aca2c6d426ad714dca52527dcb09.exe
-
Size
554KB
-
MD5
afd2aca2c6d426ad714dca52527dcb09
-
SHA1
72f224a10a99e902d48373d9fb7f4d0b5769d284
-
SHA256
c97e6797f54fb75a3c1990a03f0109fa63b8ad1c1787b99dba67d52700d962d9
-
SHA512
f49ee12bc1b54124f9cb29d51c5b5b442b1acf534f83e98773d242123764288524814a972a6e6cec5252a3247a9ec94dc168bf981c8819fd01690f9215fdf52f
-
SSDEEP
12288:6iC8pj4OFb7oj9yzCMoHrq4otmCihgawMdXrmRi/0iC8pj4z:6i1EOV7e9Xxm4S1ihPxrKi1Ez
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2584 takeown.exe 2632 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
afd2aca2c6d426ad714dca52527dcb09.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation afd2aca2c6d426ad714dca52527dcb09.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2584 takeown.exe 2632 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2584 takeown.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
afd2aca2c6d426ad714dca52527dcb09.execmd.exedescription pid process target process PID 4296 wrote to memory of 1056 4296 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 4296 wrote to memory of 1056 4296 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 4296 wrote to memory of 1056 4296 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 1056 wrote to memory of 2584 1056 cmd.exe takeown.exe PID 1056 wrote to memory of 2584 1056 cmd.exe takeown.exe PID 1056 wrote to memory of 2584 1056 cmd.exe takeown.exe PID 1056 wrote to memory of 2632 1056 cmd.exe icacls.exe PID 1056 wrote to memory of 2632 1056 cmd.exe icacls.exe PID 1056 wrote to memory of 2632 1056 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afd2aca2c6d426ad714dca52527dcb09.exe"C:\Users\Admin\AppData\Local\Temp\afd2aca2c6d426ad714dca52527dcb09.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2632
-
-