Malware Analysis Report

2024-12-07 14:50

Sample ID 241010-ha3ktsvhmm
Target M-Centres 3.3 x64.zip
SHA256 8662966bf05826209a1c0cfe155a24c5c1bdc45e61623d342270d5129fde8b3d
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8662966bf05826209a1c0cfe155a24c5c1bdc45e61623d342270d5129fde8b3d

Threat Level: Likely malicious

The file M-Centres 3.3 x64.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Downloads MZ/PE file

Possible privilege escalation attempt

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 06:32

Reported

2024-10-10 06:35

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe"

Signatures

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Windows.ApplicationModel.Store.dll C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
File opened for modification C:\Windows\System32\Windows.ApplicationModel.Store.dll C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
File created C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\SYSTEM32\cmd.exe
PID 876 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\SYSTEM32\cmd.exe
PID 5076 wrote to memory of 4952 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\takeown.exe
PID 5076 wrote to memory of 4952 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\takeown.exe
PID 5076 wrote to memory of 3812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\icacls.exe
PID 5076 wrote to memory of 3812 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\icacls.exe
PID 876 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\SYSTEM32\cmd.exe
PID 876 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\SYSTEM32\cmd.exe
PID 2912 wrote to memory of 2516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 2516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 2196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 2196 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\icacls.exe
PID 876 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\System32\sfc.exe
PID 876 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\System32\sfc.exe
PID 876 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\System32\sfc.exe
PID 876 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe C:\Windows\System32\sfc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe

"C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /k takeown /f C:\Windows\System32\Windows.ApplicationModel.Store.dll && icacls C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant "Admin":F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\Windows.ApplicationModel.Store.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant "Admin":F

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /k takeown /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll && icacls C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant "Admin":F

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant "Admin":F

C:\Windows\System32\sfc.exe

"C:\Windows\System32\sfc.exe" /scanfile=C:\Windows\System32\Windows.ApplicationModel.Store.dll

C:\Windows\System32\sfc.exe

"C:\Windows\System32\sfc.exe" /scanfile=C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/876-0-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp

memory/876-1-0x0000014F4CD30000-0x0000014F4CD4C000-memory.dmp

memory/876-2-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-3-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-4-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-5-0x0000014F6AFF0000-0x0000014F6AFF8000-memory.dmp

memory/876-7-0x0000014F6B040000-0x0000014F6B04E000-memory.dmp

memory/876-6-0x0000014F6B070000-0x0000014F6B0A8000-memory.dmp

memory/876-8-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-9-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-10-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp

memory/876-11-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-12-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

memory/876-13-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19041.906\x64\Windows.ApplicationModel.Store.dll

MD5 3e9f96520731308adbf87172614ced92
SHA1 31ee1629f8431fc1101bfcb8167abbd3e4fb98f3
SHA256 5fc5b78a3d9d6e80748004e43bf11a2be14b355290180475a5b4fad9259dc8d2
SHA512 850baa06de00533592ba34bbe4e2749d2475b8998b75c8a5d583b7f0363d9f612bc761b9476dfb39c7502a5d054e2ecf829169e379d21ff29566b20c66cf67ec

memory/876-24-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp