Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 23:24

General

  • Target

    MicrosoftWindowsServicesEtc/WinScrew.exe

  • Size

    52KB

  • MD5

    1aaafedd9f259acca75708f4af10b5be

  • SHA1

    f6b4ea28d304e1f9205c1c0b970d60ee989402f2

  • SHA256

    429e01b0e06b02a55bafb1527629f8d4c5f64d9b21ac9f81484a3928fdce6dc9

  • SHA512

    a995ebf4d142452aabb419f0cacfa5412d03532840cb08c37dd7c00001dee521bf9d0da66ac4346b07dffd91fe01fa3115fa05811acbd43d380320dca1be4aa8

  • SSDEEP

    1536:Sn1KqRJ9x3jnIbslu8JFNDfIDIO40nToIfqFwr:Sn1KUhrIbsTIl4YTBfqa

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1017.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\System32\takeown.exe
        takeown /f logonui.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\System32\icacls.exe
        icacls logonui.exe /granted "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1796
      • C:\Windows\System32\takeown.exe
        takeown /f sethc.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\System32\icacls.exe
        icacls sethc.exe /granted "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1\1017.bat

    Filesize

    347B

    MD5

    2d6137c014799e13eb4ed488b2fb6f24

    SHA1

    ba8b8734a2fec8bd5d83fb9f82839be299842f83

    SHA256

    e8e180570ec4e0aa25663250ace1d1eb45404ef6c25f5680f90391d6e30b7b0e

    SHA512

    53afcd651e0daca461c20164536a541e0e48be2286bc4952494dc9eec1a23994f11430ce6f3c1dc28b90ba3b8a1d28446bd0d357bbc620243aa9cd6b35506c3c