28216f94328e942434bc24d7af60ce691f46f2ac5f1381d6ac093d32e65489a5

Resubmissions

16-03-2024 17:14

240316-vsg33ahc39 7

16-03-2024 17:12

240316-vqyb9shb94 10

16-03-2024 15:47

240316-s8g2wsea5y 10

Analysis

max time kernel
118s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PCToaster.exe
Size

411KB
MD5

04251a49a240dbf60975ac262fc6aeb7
SHA1

e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0
SHA256

85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
SHA512

3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2
SSDEEP

3072:quJFS5Aqu+WwjxeI/0gVnfKl0FA+aPobO24yNz88iu8vDYHTlI5EJD5Hbibfd6PK:/JM0mCsWq1/qpz+nF5c

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 3 IoCs

exploit

pid	Process
3748	icacls.exe
3576	takeown.exe
4900	takeown.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3748	icacls.exe
3576	takeown.exe
4900	takeown.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	takeown.exe
File opened (read-only)	\??\V:	takeown.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3576	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1844	javaw.exe
1844	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1844	3620	PCToaster.exe	88
PID 3620 wrote to memory of 1844	3620	PCToaster.exe	88
PID 1844 wrote to memory of 3748	1844	javaw.exe	91
PID 1844 wrote to memory of 3748	1844	javaw.exe	91
PID 1844 wrote to memory of 2568	1844	javaw.exe	95
PID 1844 wrote to memory of 2568	1844	javaw.exe	95
PID 1844 wrote to memory of 3216	1844	javaw.exe	98
PID 1844 wrote to memory of 3216	1844	javaw.exe	98
PID 1844 wrote to memory of 3576	1844	javaw.exe	103
PID 1844 wrote to memory of 3576	1844	javaw.exe	103
PID 1844 wrote to memory of 4900	1844	javaw.exe	105
PID 1844 wrote to memory of 4900	1844	javaw.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2568	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PCToaster.exe
"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\icacls.exe
    C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3748
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +h C:\Users\Admin\AppData\Local\Temp\scr.txt
    3⤵
    - Views/modifies file attributes
    PID:2568
- - C:\Windows\SYSTEM32\diskpart.exe
    diskpart /s C:\Users\Admin\AppData\Local\Temp\scr.txt
    3⤵
    PID:3216
- - C:\Windows\SYSTEM32\takeown.exe
    takeown /f V:\Boot /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SYSTEM32\takeown.exe
    takeown /f V:\Recovery /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Enumerates connected drives
    PID:4900

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2848

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
8bb723ac48b9445b6290586f39821a36

SHA1
12c9b9f21800ea747a44a542154eecf7a3f27ef0

SHA256
fd03577ce424c54a78789921f00f82f5b6ed1731c55a7e9258c3dfef1c5e0875

SHA512
0aa0a68c342f74d7899bbeecacd6f232d5dc5c497e12f670195755a6daec6fd4bd074831438a5a417339663ccdf1d2475fd3c715058738e8790b59097d7c11c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr.txt

Filesize
45B

MD5
ad1869d6f0b2b809394605d3e73eeb74

SHA1
4bdedd14bfea9f891b98c4cc82c5f82a58df67f6

SHA256
7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394

SHA512
8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136

Download Submit
memory/1844-5-0x000001BA2F670000-0x000001BA30670000-memory.dmp

Filesize
16.0MB

Download
memory/1844-16-0x000001BA2F650000-0x000001BA2F651000-memory.dmp

Filesize
4KB

Download
memory/1844-21-0x000001BA2F650000-0x000001BA2F651000-memory.dmp

Filesize
4KB

Download
memory/1844-22-0x000001BA2F650000-0x000001BA2F651000-memory.dmp

Filesize
4KB

Download
memory/1844-30-0x000001BA2F650000-0x000001BA2F651000-memory.dmp

Filesize
4KB

Download
memory/1844-33-0x000001BA2F650000-0x000001BA2F651000-memory.dmp

Filesize
4KB

Download
memory/1844-34-0x000001BA2F650000-0x000001BA2F651000-memory.dmp

Filesize
4KB

Download
memory/3620-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads