Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 14:31
Static task
static1
Behavioral task
behavioral1
Sample
3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
Resource
win7-20240221-en
General
-
Target
3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
-
Size
326KB
-
MD5
a59664f37c25edaa69c39a65490ed3a9
-
SHA1
01bb46541bc678fe9d97cea31cb61f3db861ba68
-
SHA256
3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d
-
SHA512
76ba5fea9e63bf091ac2f2234447ad48c93b1b21594fd2c737d24073efc2871265c83622364764c886769d579c727784c045d3d4b2fc0a6e778dc30e64f1f393
-
SSDEEP
6144:Rj8KWXflIwycVYUcBrcisb765kohreOCSYA/U:+Kkfl3x0BrcdEkoWCc
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2548 takeown.exe 2584 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2180 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
wmpnetwk.exepid process 2476 wmpnetwk.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2548 takeown.exe 2584 icacls.exe -
Drops file in Program Files directory 5 IoCs
Processes:
3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exedescription ioc process File created C:\Program Files\Windows Media Player\background.jpg 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe File created C:\Program Files\Windows Media Player\mpsvc.dll 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe File created C:\Program Files\Windows Media Player\wmpnetwk.exe 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe File created C:\Program Files\Windows Media Player\wmixedwk.exe 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe File opened for modification C:\Program Files\Windows Media Player\wmixedwk.exe 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2548 takeown.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.execmd.execmd.exedescription pid process target process PID 2972 wrote to memory of 2756 2972 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe cmd.exe PID 2972 wrote to memory of 2756 2972 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe cmd.exe PID 2972 wrote to memory of 2756 2972 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe cmd.exe PID 2756 wrote to memory of 2548 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2548 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2548 2756 cmd.exe takeown.exe PID 2756 wrote to memory of 2584 2756 cmd.exe icacls.exe PID 2756 wrote to memory of 2584 2756 cmd.exe icacls.exe PID 2756 wrote to memory of 2584 2756 cmd.exe icacls.exe PID 2972 wrote to memory of 2180 2972 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe cmd.exe PID 2972 wrote to memory of 2180 2972 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe cmd.exe PID 2972 wrote to memory of 2180 2972 3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe cmd.exe PID 2180 wrote to memory of 2296 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 2296 2180 cmd.exe PING.EXE PID 2180 wrote to memory of 2296 2180 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe"C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd /c ""C:\kkxqbh.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Program Files\Windows Media Player\wmpnetwk.exe"C:\Program Files\Windows Media Player\wmpnetwk.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows Media Player\wmpnetwk.exeFilesize
23KB
MD590b85ffbdeead1be861d59134ea985b0
SHA155e9859aa7dba87678e7c529b571fdf6b7181339
SHA256ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2
SHA5128a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce
-
C:\kkxqbh.batFilesize
135B
MD5213c3f1aa1f2ee05f1c6618d192fffc5
SHA1a517128a03b995935ff9cce15916ba84250f28b0
SHA2568d68538bab28f4e7bd4af85a501e13fb228aae17ab8d5c17abceefa94948b607
SHA512efabf818a1a1efdf4c448dd8fc98f2956866d80d5cc3b05e00561a767628d3cf3d7912782218acc234ec1e752dc3be0150ba87f00039fdd9f4eaa7922ddd01fe
-
memory/2972-0-0x000000013F16A000-0x000000013F16B000-memory.dmpFilesize
4KB
-
memory/2972-3-0x0000000002220000-0x000000000224C000-memory.dmpFilesize
176KB
-
memory/2972-5-0x000000013F150000-0x000000013F1A6000-memory.dmpFilesize
344KB
-
memory/2972-27-0x0000000002220000-0x000000000224C000-memory.dmpFilesize
176KB