Analysis Overview
SHA256
83fe0ebc31413bb25767a473a559ed684f18fd7a912fdb9d064e45d5f46b84b1
Threat Level: Likely malicious
The file b8d7e60c2d30188fb56de8819b2e226c was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Loads dropped DLL
Modifies file permissions
Deletes itself
Drops file in System32 directory
Unsigned PE
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-07 13:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-07 13:28
Reported
2024-03-07 13:31
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe
"C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM NVCAgent.npc
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\clr_f7692be.bat
Network
Files
C:\Windows\SysWOW64\IMM32.DLL
| MD5 | 1ace4fae10b9ef9c1184aa2ce8030fca |
| SHA1 | 0bc4a69788894a8377b654c3a4ea1a9b15264790 |
| SHA256 | fcb1ea98db1a802681ab9dd894c329eb3ee7dc941d43b04826be561e6213f155 |
| SHA512 | 8540ad9ac2cde82d29f93b7cca3122ff5b93957230aeeb9d1f58842cb344bec83fb316786d1c76216d27c143b79ab6fbb1d198f43f36b8fad60f724a853af2f2 |
C:\Windows\SysWOW64\ole.dll
| MD5 | 1abf0f1e4b80ace83c3fb9c8a4b065a7 |
| SHA1 | f844bd0d0d10241fadafa7e90e69653fdfac99d4 |
| SHA256 | e4fc83df6936dacac02d8463b496f533133b1ebadb774d6f0aa8154dcf6d01ae |
| SHA512 | ea5cb7ff5bace90b4c2e81f11fa8dcbaee90c18d3cffbbf22752057c47a9c8a5fb500e3de2bfc95cde8c82bc20d212176a295c7515f5370984429e4d553b8eff |
memory/2492-12-0x0000000075350000-0x00000000753C0000-memory.dmp
\??\c:\clr_f7692be.bat
| MD5 | 2b006c0f06d2a09b7b8c8d67d5a6e97b |
| SHA1 | 74fb65bd7db7ff67aff3f3e2db2273740a172bc2 |
| SHA256 | 65c60b56c33e25676fb2fa1f7331bd2f2264ce179ce7a3e9604a94d19619f35d |
| SHA512 | c403b24077d7047f9a08f714890ee80a634c883ac68fa9276e8e4011817b7f25cc29cfe198171fdb3b7850ff5379175b5615052d86a5f2f8e5db81db8274b916 |
memory/2492-15-0x0000000075350000-0x00000000753C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-07 13:28
Reported
2024-03-07 13:31
Platform
win10v2004-20240226-en
Max time kernel
164s
Max time network
174s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ole.dll | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\imm32.dll.log | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| File created | C:\Windows\SysWOW64\imm32.dll | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe
"C:\Users\Admin\AppData\Local\Temp\b8d7e60c2d30188fb56de8819b2e226c.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM NVCAgent.npc
C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\clr_e57eb5a.bat
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.52.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
memory/4952-9-0x0000000076BE0000-0x0000000076C05000-memory.dmp
\??\c:\clr_e57eb5a.bat
| MD5 | b05b955e9fb5a310c63884f022a2f898 |
| SHA1 | 4e0b1ce84b1236f71fbab292b43be9ab6659b303 |
| SHA256 | 6a4c7c59998fc6960765986234bb882a0d669bfe7b0982febc69be05f227ced5 |
| SHA512 | 92831b363fbcc170203e52b80e3139f7ab424770de1249afa6e934664b3e12811d75b37aad4a128a6243e9aba9bf43e595ce2ed5dd073d58b5c2c255f0366ff1 |