Malware Analysis Report

2024-11-16 12:27

Sample ID 240321-ttcz3afc86
Target dc1266f06aa1e2db8308f82ca85aa47f
SHA256 20c061b34f6b0656a44c0e7c89777e5715602eb220f523e69cafae9973deacb2
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

20c061b34f6b0656a44c0e7c89777e5715602eb220f523e69cafae9973deacb2

Threat Level: Likely malicious

The file dc1266f06aa1e2db8308f82ca85aa47f was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 16:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 16:20

Reported

2024-03-21 16:23

Platform

win10v2004-20240226-en

Max time kernel

122s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe

"C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.134.221.88.in-addr.arpa udp

Files

memory/1052-0-0x0000000000160000-0x00000000002AE000-memory.dmp

memory/1052-1-0x00007FFC22660000-0x00007FFC23121000-memory.dmp

memory/1052-2-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/1052-5-0x00007FFC22660000-0x00007FFC23121000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 16:20

Reported

2024-03-21 16:23

Platform

win7-20240221-en

Max time kernel

118s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\LogonUI.exe C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe

"C:\Users\Admin\AppData\Local\Temp\dc1266f06aa1e2db8308f82ca85aa47f.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32 /grant "Admin:F"

Network

N/A

Files

memory/2176-0-0x0000000000110000-0x000000000025E000-memory.dmp

memory/2176-1-0x000007FEF5940000-0x000007FEF632C000-memory.dmp

memory/2176-2-0x000000001AFB0000-0x000000001B030000-memory.dmp

memory/2176-4-0x000007FEF5940000-0x000007FEF632C000-memory.dmp