Malware Analysis Report

2024-12-07 14:57

Sample ID 241005-kvm2zswflp
Target 27a038ca92e6827f642732cbe73073b2123e4ad553abed41e718aa58a7d08654
SHA256 27a038ca92e6827f642732cbe73073b2123e4ad553abed41e718aa58a7d08654
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

27a038ca92e6827f642732cbe73073b2123e4ad553abed41e718aa58a7d08654

Threat Level: Likely malicious

The file 27a038ca92e6827f642732cbe73073b2123e4ad553abed41e718aa58a7d08654 was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Unexpected DNS network traffic destination

Modifies file permissions

Indicator Removal: File Deletion

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Unsigned PE

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Gathers system information

Checks processor information in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 08:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 08:55

Reported

2024-10-05 08:58

Platform

win7-20240903-en

Max time kernel

2s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2544 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2544 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2416 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2416 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3052 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2364 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2364 wrote to memory of 2968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 3052 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe

"C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nicconfig get ipaddress

C:\Windows\System32\Wbem\WMIC.exe

wmic nicconfig get ipaddress

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c systeminfo

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ntoskrnl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
N/A 127.0.0.1:49187 tcp
US 8.8.8.8:53 api.notion.com udp
US 172.64.146.254:443 api.notion.com tcp
US 172.64.146.254:443 api.notion.com tcp
N/A 127.0.0.1:49190 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 08:55

Reported

2024-10-05 08:56

Platform

win10v2004-20240802-en

Max time kernel

64s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 208.67.222.222 N/A N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 648 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 648 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2356 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3440 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 3440 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\nslookup.exe
PID 2356 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4844 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 2356 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 1960 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1960 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 3952 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3952 wrote to memory of 5012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2356 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe
PID 2356 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe

"C:\Users\Admin\AppData\Local\Temp\Furry开户工具.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic nicconfig get ipaddress

C:\Windows\System32\Wbem\WMIC.exe

wmic nicconfig get ipaddress

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\nslookup.exe

nslookup myip.opendns.com resolver1.opendns.com

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c systeminfo

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls "C:\Windows\System32\ntoskrnl.exe" /grant Admin:F

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ntoskrnl.exe" /grant Admin:F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del "C:\Windows\System32\ntoskrnl.exe" /f /s /q

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

Network

Country Destination Domain Proto
US 8.8.8.8:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 208.67.222.222:53 resolver1.opendns.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 222.222.67.208.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 api.notion.com udp
US 104.18.41.2:443 api.notion.com tcp
US 104.18.41.2:443 api.notion.com tcp
N/A 127.0.0.1:52675 tcp
N/A 127.0.0.1:52678 tcp
US 8.8.8.8:53 2.41.18.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-05 08:55

Reported

2024-10-05 08:58

Platform

win7-20240903-en

Max time kernel

14s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2428 wrote to memory of 2936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2428 wrote to memory of 2936 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2428 -s 108

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-05 08:55

Reported

2024-10-05 08:58

Platform

win10v2004-20240802-en

Max time kernel

93s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcurl-x64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

N/A