Analysis Overview
SHA256
105e3099c7568b5e916e293750666d65dc35101ded8f76bdca82dfa4505334bd
Threat Level: Likely malicious
The file grafler.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 20:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 20:59
Reported
2024-06-14 20:59
Platform
win10v2004-20240611-en
Max time kernel
33s
Max time network
35s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\grafler.exe
"C:\Users\Admin\AppData\Local\Temp\grafler.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /f C:\Windows\System32\taskmgr.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\taskmgr.exe /grant administrators:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn "UpdateSvc" /tr "C:\Users\Admin\AppData\Local\Temp\doppel.exe" /sc onstart
C:\Windows\system32\schtasks.exe
schtasks /create /tn "UpdateSvc" /tr "C:\Users\Admin\AppData\Local\Temp\doppel.exe" /sc onstart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 20:59
Reported
2024-06-14 20:59
Platform
win7-20240221-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\grafler.exe
"C:\Users\Admin\AppData\Local\Temp\grafler.exe"