Overview

overview

10

Static

static

3

Itachi14.exe

windows7-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    2s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Itachi14.exe

  • Size

    3.7MB

  • MD5

    24993cbce166b6aa35ac53606afeea76

  • SHA1

    26a221cafc577aed7d2939b36b9d7b2007043c5d

  • SHA256

    a1e14a5e8c81492585b8ad41bc7aea4a3200661d06ffcfb8ac633770d94316df

  • SHA512

    22a790af2876420f00a21fbe9c9c8749d74c1de2aae964b9987b7ce9242574933f4b929cd5f9e124670f89b4db11d958e6353f2033d92b3f409c161510808f28

  • SSDEEP

    98304:o5gjbnI3OkLFxD5tKZDunjxynuzSnsmtk2aCwdMK0UsBDvRmvpLICugLPdGf9N+2:pLNw0UCvNMPcz+B0UCvNMPcz+/LN

Score
10/10
bootkitdiscoveryevasionexploitpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Possible privilege escalation attempt 2 IoCs
    exploit
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Itachi14.exe
    "C:\Users\Admin\AppData\Local\Temp\Itachi14.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1836
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\Note.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2160
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2604
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant "Admin:F"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2616
    • C:\Windows\System32\MBR.exe
      "C:\Windows\System32\MBR.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_MBR.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\darkpcm.wav
    Filesize

    938KB

    MD5

    42fd98add941a9eaad60d02567ad6ce6

    SHA1

    22889f394658cf25af344ff76ba6d93e939f7e2c

    SHA256

    5127d449b33156073e314cb774949d433341ea84238f14de598f82359e52e6fb

    SHA512

    562b88a37e5c070d213c942a8cc074437c5adeaa6a7e9725e661ff0f70e19a8a1e0397f6f1f6796e813c45dd8f0d499078a88e3450939993c22f7fe705782354

    Download Submit

  • C:\Users\Admin\Videos\Note.txt
    Filesize

    104B

    MD5

    f9a3021079230ae092939240aa8bf586

    SHA1

    9c8f705d468bbac25e6e3d5acda59fe18a2f5b10

    SHA256

    88ac0a64c577c26fceabf42c104cac21df3e861743f144d9dd881877082617ea

    SHA512

    f1291e2e5910e7e20f77bbd9285ea6751f3b99e7ef2a6827f9233fde31e4828026e09ff374c8455057efec20e6ec06ddff9abe11ae62b07fa0a80c5871afa9d0

    Download Submit

  • C:\Windows\System32\MBR.exe
    Filesize

    809KB

    MD5

    298749b226539c7fbd902d48e569eb0f

    SHA1

    a20706bdd4d0fbaf1a109fd5519c154270a3a6fc

    SHA256

    dcf2180004efebe41e00b057234df218c1c05f0add1509125a9724f125a30f97

    SHA512

    185ef5cbf21179dab8d0c2fa3962695a7b2305acb29a1b77fe291965ab541c12ddd354eca05dc75b1c59851fd3742cc0183209908f320afae77e8c67765ade40

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_MBR.exe
    Filesize

    56KB

    MD5

    15ab83fb10ce58353ab3f206990e698a

    SHA1

    54be6c19063a68d385eb3d7ba64a812b95ccb438

    SHA256

    a369873db29763760ff3031ccc46505fd8ea715a4ade7e05ef503b32627d949c

    SHA512

    e2ca16f2ac5ad4e989b01ea356d422efc69a0b6f7497ee8e74ed2b4af224f549fa9d4a4ce5e8f5888ea5c63572b72e5f51dfe78ef143b2c7452e3612c13d1aca

    Download Submit

  • memory/1836-0-0x000007FEF57D3000-0x000007FEF57D4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1836-1-0x0000000000BA0000-0x0000000000F5E000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1836-2-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2864-25-0x0000000000010000-0x0000000000028000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2864-28-0x00000000003F0000-0x00000000003F6000-memory.dmp

    Filesize

    24KB

    Download