01ee8f74dace7c4cec68e020350e1b6637b5f6fd36c4afd2e62a41d2056db304

Analysis

max time kernel
40s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

overemptiness.exe
Size

18.8MB
MD5

8d6910b4e8e10febdcd363d5f436485f
SHA1

ffd58b7027338ea88717f240c1ac131504b3ce5f
SHA256

01ee8f74dace7c4cec68e020350e1b6637b5f6fd36c4afd2e62a41d2056db304
SHA512

736dfa4cb021646b6eb61076ac34d622ddb25a5d90296f5c6fe602053aee5f118f564c45675d72aa824007c06d9e275baed94ca347de94455688e7aa53aa3d45
SSDEEP

393216:5t8c7Ej86oji7W9IFdUDWjfLb4QD4NT9L6lDEoXMeBb4tFRAC1/gb:5t8mK86SeDQofQKiTN6lDEoUjRp1

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3008	icacls.exe
4856	takeown.exe
928	icacls.exe
1708	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	overemptiness.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1708	takeown.exe
3008	icacls.exe
4856	takeown.exe
928	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	raw.githubusercontent.com
38	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	icanhazip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\OpenSSH\MSAudDecMFT.dll	overemptiness.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3028	overemptiness.exe
3028	overemptiness.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe
3028	overemptiness.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 34	4332	tzutil.exe
Token: SeTakeOwnershipPrivilege	1708	takeown.exe
Token: SeTakeOwnershipPrivilege	4856	takeown.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 5008	3028	overemptiness.exe	92
PID 3028 wrote to memory of 5008	3028	overemptiness.exe	92
PID 3028 wrote to memory of 4964	3028	overemptiness.exe	93
PID 3028 wrote to memory of 4964	3028	overemptiness.exe	93
PID 3028 wrote to memory of 1160	3028	overemptiness.exe	94
PID 3028 wrote to memory of 1160	3028	overemptiness.exe	94
PID 3028 wrote to memory of 2608	3028	overemptiness.exe	96
PID 3028 wrote to memory of 2608	3028	overemptiness.exe	96
PID 1160 wrote to memory of 4332	1160	cmd.exe	97
PID 1160 wrote to memory of 4332	1160	cmd.exe	97
PID 3028 wrote to memory of 2796	3028	overemptiness.exe	98
PID 3028 wrote to memory of 2796	3028	overemptiness.exe	98
PID 3028 wrote to memory of 1684	3028	overemptiness.exe	99
PID 3028 wrote to memory of 1684	3028	overemptiness.exe	99
PID 3028 wrote to memory of 1564	3028	overemptiness.exe	100
PID 3028 wrote to memory of 1564	3028	overemptiness.exe	100
PID 1564 wrote to memory of 1708	1564	cmd.exe	101
PID 1564 wrote to memory of 1708	1564	cmd.exe	101
PID 3028 wrote to memory of 2196	3028	overemptiness.exe	102
PID 3028 wrote to memory of 2196	3028	overemptiness.exe	102
PID 2196 wrote to memory of 3008	2196	cmd.exe	103
PID 2196 wrote to memory of 3008	2196	cmd.exe	103
PID 3028 wrote to memory of 2216	3028	overemptiness.exe	104
PID 3028 wrote to memory of 2216	3028	overemptiness.exe	104
PID 3028 wrote to memory of 4304	3028	overemptiness.exe	105
PID 3028 wrote to memory of 4304	3028	overemptiness.exe	105
PID 3028 wrote to memory of 1808	3028	overemptiness.exe	106
PID 3028 wrote to memory of 1808	3028	overemptiness.exe	106
PID 3028 wrote to memory of 1392	3028	overemptiness.exe	108
PID 3028 wrote to memory of 1392	3028	overemptiness.exe	108
PID 3028 wrote to memory of 4708	3028	overemptiness.exe	110
PID 3028 wrote to memory of 4708	3028	overemptiness.exe	110
PID 3028 wrote to memory of 1052	3028	overemptiness.exe	112
PID 3028 wrote to memory of 1052	3028	overemptiness.exe	112
PID 3028 wrote to memory of 3804	3028	overemptiness.exe	113
PID 3028 wrote to memory of 3804	3028	overemptiness.exe	113
PID 1808 wrote to memory of 4856	1808	cmd.exe	115
PID 1808 wrote to memory of 4856	1808	cmd.exe	115
PID 1392 wrote to memory of 928	1392	cmd.exe	116
PID 1392 wrote to memory of 928	1392	cmd.exe	116
PID 3028 wrote to memory of 1036	3028	overemptiness.exe	117
PID 3028 wrote to memory of 1036	3028	overemptiness.exe	117
PID 3028 wrote to memory of 4404	3028	overemptiness.exe	120
PID 3028 wrote to memory of 4404	3028	overemptiness.exe	120

C:\Users\Admin\AppData\Local\Temp\overemptiness.exe
"C:\Users\Admin\AppData\Local\Temp\overemptiness.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C tzutil /s "W. Europe Standard Time"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\system32\tzutil.exe
    tzutil /s "W. Europe Standard Time"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c takeown /F %systemroot%\System32\MSAudDecMFT.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\MSAudDecMFT.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls %systemroot%\System32\MSAudDecMFT.dll /grant "%username%":F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\MSAudDecMFT.dll /grant "Admin":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del %systemroot%\System32\MSAudDecMFT.dll
  2⤵
  PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /f /Q %systemroot%\System32\MSAudDecMFT.dll
  2⤵
  PID:4304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C takeown /F %systemroot%\System32\MSAudDecMFT.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\MSAudDecMFT.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls %systemroot%\System32\MSAudDecMFT.dll /grant "%username%":F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\MSAudDecMFT.dll /grant "Admin":F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del %systemroot%\System32\MSAudDecMFT.dll
  2⤵
  PID:4708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /Q %systemroot%\System32\MSAudDecMFT.dll
  2⤵
  PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-0-0x00000001411C3000-0x0000000141F13000-memory.dmp

Filesize
13.3MB

Download
memory/3028-1-0x00007FFFF6EB0000-0x00007FFFF6EB2000-memory.dmp

Filesize
8KB

Download
memory/3028-2-0x0000000140000000-0x00000001431D9000-memory.dmp

Filesize
49.8MB

Download
memory/3028-3-0x0000000140000000-0x00000001431D9000-memory.dmp

Filesize
49.8MB

Download