Analysis Overview
SHA256
8662966bf05826209a1c0cfe155a24c5c1bdc45e61623d342270d5129fde8b3d
Threat Level: Likely malicious
The file M-Centres 3.3 x64.zip was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Possible privilege escalation attempt
Modifies file permissions
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-10 06:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-10 06:32
Reported
2024-10-10 06:35
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
148s
Command Line
Signatures
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Windows.ApplicationModel.Store.dll | C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe | N/A |
| File opened for modification | C:\Windows\System32\Windows.ApplicationModel.Store.dll | C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe | N/A |
| File created | C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll | C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe
"C:\Users\Admin\AppData\Local\Temp\M-Centres 3.3.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /k takeown /f C:\Windows\System32\Windows.ApplicationModel.Store.dll && icacls C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\Windows.ApplicationModel.Store.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant "Admin":F
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /k takeown /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll && icacls C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant "Admin":F
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant "Admin":F
C:\Windows\System32\sfc.exe
"C:\Windows\System32\sfc.exe" /scanfile=C:\Windows\System32\Windows.ApplicationModel.Store.dll
C:\Windows\System32\sfc.exe
"C:\Windows\System32\sfc.exe" /scanfile=C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/876-0-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp
memory/876-1-0x0000014F4CD30000-0x0000014F4CD4C000-memory.dmp
memory/876-2-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-3-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-4-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-5-0x0000014F6AFF0000-0x0000014F6AFF8000-memory.dmp
memory/876-7-0x0000014F6B040000-0x0000014F6B04E000-memory.dmp
memory/876-6-0x0000014F6B070000-0x0000014F6B0A8000-memory.dmp
memory/876-8-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-9-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-10-0x00007FFB99D13000-0x00007FFB99D15000-memory.dmp
memory/876-11-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-12-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
memory/876-13-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\19041.906\x64\Windows.ApplicationModel.Store.dll
| MD5 | 3e9f96520731308adbf87172614ced92 |
| SHA1 | 31ee1629f8431fc1101bfcb8167abbd3e4fb98f3 |
| SHA256 | 5fc5b78a3d9d6e80748004e43bf11a2be14b355290180475a5b4fad9259dc8d2 |
| SHA512 | 850baa06de00533592ba34bbe4e2749d2475b8998b75c8a5d583b7f0363d9f612bc761b9476dfb39c7502a5d054e2ecf829169e379d21ff29566b20c66cf67ec |
memory/876-24-0x00007FFB99D10000-0x00007FFB9A7D1000-memory.dmp