Analysis Overview
SHA256
85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
Threat Level: Likely malicious
The file PCToaster.exe was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Modifies file permissions
Enumerates connected drives
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 14:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 14:47
Reported
2024-06-20 14:50
Platform
win7-20231129-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\PCToaster.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2180 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\PCToaster.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2180 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\PCToaster.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
| PID 2180 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\PCToaster.exe | C:\Program Files\Java\jre7\bin\javaw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\PCToaster.exe
"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
Network
Files
memory/2180-0-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2044-3-0x0000000002640000-0x00000000028B0000-memory.dmp
memory/2044-11-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2044-14-0x0000000002640000-0x00000000028B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 14:47
Reported
2024-06-20 14:50
Platform
win10v2004-20240508-en
Max time kernel
106s
Max time network
55s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\takeown.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SYSTEM32\takeown.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SYSTEM32\mountvol.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SYSTEM32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PCToaster.exe
"C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PCToaster.exe"
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
C:\Windows\SYSTEM32\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\scr.txt
C:\Windows\SYSTEM32\diskpart.exe
diskpart /s C:\Users\Admin\AppData\Local\Temp\scr.txt
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Boot /r
C:\Windows\SYSTEM32\takeown.exe
takeown /f V:\Recovery /r
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
C:\Windows\SYSTEM32\taskkill.exe
taskkill /im lsass.exe /f
C:\Windows\SYSTEM32\mountvol.exe
mountvol A: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol B: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol D: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol E: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol F: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol G: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol H: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol I: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol J: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol K: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol L: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol M: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol N: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol O: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol P: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Q: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol R: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol S: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol T: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol U: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol V: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol W: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol X: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Y: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol Z: /d
C:\Windows\SYSTEM32\mountvol.exe
mountvol C: /d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 239.255.255.250:3702 | udp | |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| N/A | 239.255.255.250:3702 | udp |
Files
memory/4504-0-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3976-3-0x000002A093350000-0x000002A0935C0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | ce0f4cdd8c73e8bfdd8f7c36fc51989c |
| SHA1 | cbfee3a71a6a4a269105b87f90d7f38a45c3da0b |
| SHA256 | a9aaac48e94fd8b5e296ccd99e2a4d73639f7c2b3b2c35bc02e8fc6cb5040856 |
| SHA512 | 0a597b9a1a26193041e911f29b688db8015e28de713030832818d27e536d28f033a20aa44a4f994d31903ba8adfb2d8d6548018d4fac45dbd9eb2a49bda7be16 |
C:\Users\Admin\AppData\Local\Temp\scr.txt
| MD5 | ad1869d6f0b2b809394605d3e73eeb74 |
| SHA1 | 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6 |
| SHA256 | 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394 |
| SHA512 | 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136 |
memory/3976-24-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-27-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-30-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-33-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-35-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3212-42-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-43-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-44-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-54-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-53-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-52-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-51-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-50-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-49-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3212-48-0x0000017B3DB60000-0x0000017B3DB61000-memory.dmp
memory/3976-55-0x000002A093350000-0x000002A0935C0000-memory.dmp
memory/3976-58-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-79-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-96-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-99-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-103-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-104-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-106-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-109-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-114-0x000002A091A80000-0x000002A091A81000-memory.dmp
memory/3976-115-0x000002A091A80000-0x000002A091A81000-memory.dmp