Analysis
-
max time kernel
61s -
max time network
3s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 10:55
Static task
static1
Behavioral task
behavioral1
Sample
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe
-
Size
301KB
-
MD5
27ed2ca1b852640d6cd2646672a90f74
-
SHA1
5869b882e35194e3f8536e1893055ba5eb2725b2
-
SHA256
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a
-
SHA512
9205238bd48e051d57fe66aba8dfc2367ec6c6c1e1c932e2af7353331820741c6d008547bb427bca19d19c3565765d0370af085523071f25ebf68e61f3088f2e
-
SSDEEP
6144:lCburfqKlylZXGSIqpMVsKnY4aF/5T9X:lC6hl3SIqpK5IB
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid Process 4660 takeown.exe 2976 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid Process 2976 icacls.exe 4660 takeown.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
Processes:
OfficeClickToRun.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm OfficeClickToRun.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
OfficeClickToRun.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString OfficeClickToRun.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
OfficeClickToRun.exedescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily OfficeClickToRun.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU OfficeClickToRun.exe -
Modifies data under HKEY_USERS 26 IoCs
Processes:
OfficeClickToRun.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" OfficeClickToRun.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exepid Process 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid Process 4596 2720 3236 2892 4684 3784 3220 1244 3972 4992 2544 3860 3680 4432 4316 896 4824 4564 2604 1312 5088 4156 1476 1936 260 4240 3996 5108 772 3536 5060 3332 2020 4936 1572 1424 1380 2704 2420 5040 368 4344 448 3244 4988 2284 3232 3752 4840 4740 424 3788 2712 2928 4764 5052 1120 4368 2652 3412 2716 768 3708 2320 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid Process Token: SeTakeOwnershipPrivilege 4660 takeown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exepid Process 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OfficeClickToRun.exepid Process 3044 OfficeClickToRun.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.execmd.execmd.exedescription pid Process procid_target PID 1736 wrote to memory of 3984 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 83 PID 1736 wrote to memory of 3984 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 83 PID 3984 wrote to memory of 4660 3984 cmd.exe 84 PID 3984 wrote to memory of 4660 3984 cmd.exe 84 PID 1736 wrote to memory of 4976 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 85 PID 1736 wrote to memory of 4976 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 85 PID 4976 wrote to memory of 2976 4976 cmd.exe 86 PID 4976 wrote to memory of 2976 4976 cmd.exe 86 PID 1736 wrote to memory of 388 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 87 PID 1736 wrote to memory of 388 1736 9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe"C:\Users\Admin\AppData\Local\Temp\9998034b4a25a37c86651d85306be7b1fe949be3df3ccbb0ede943bbef414f8a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Windows\System32\ntoskrnl.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Windows\System32\ntoskrnl.exe" /grant Admin:F2⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\ntoskrnl.exe" /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\System32\ntoskrnl.exe" /f /s /q2⤵PID:388
-
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:4076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:3328
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:3452