Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    05-11-2024 13:43

General

  • Target

    280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe

  • Size

    34KB

  • MD5

    78cf3240cde4b1a491f16b61b66b5990

  • SHA1

    80e488f19c6c572080893dd75c4a5dbc3393c7bb

  • SHA256

    280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31b

  • SHA512

    3c170762e75804da5d4c2df6f3ed36390e11037443b4f0cbc8a7feb8bd7e0e9d050a0fa11a0d05de2348fc6af0b4f7feb15e3fe61e89cdf78ee90b42acb5bcd7

  • SSDEEP

    768:PumRjoV0l6yzJT+yeZoV0l6yzJT+yez+ZtYcFA/Vc6K:WTV04qxBjV04qxB4+Z8Vcl

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
  • Modifies file permissions 1 TTPs 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe
    "C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im OpenConsole.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im OpenConsole.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /t /f /im WindowsTerminal.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /t /f /im WindowsTerminal.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:320
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im regedit.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im regedit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2160
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im cmd.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im taskmgr.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\regedit.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\regedit.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\regedit.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\regedit.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\cmd.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:340
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\cmd.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2956
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\cmd.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2352
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1660
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\*.* /grant %username%:F /t
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2116
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\WindowsPowerShell\*.* /grant Admin:F /t
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2104
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1952
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant %username%:F /t
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1900
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant Admin:F /t
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\regedt32.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3064
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\regedt32.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3028
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\regedt32.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2212
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\regedt32.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\reg.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2076
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\reg.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\reg.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1372
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\reg.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2096
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:448
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1908
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:944
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:1836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1584-0-0x000000007426E000-0x000000007426F000-memory.dmp

    Filesize

    4KB

  • memory/1584-1-0x0000000000A20000-0x0000000000A2E000-memory.dmp

    Filesize

    56KB

  • memory/1584-2-0x0000000074260000-0x000000007494E000-memory.dmp

    Filesize

    6.9MB

  • memory/1584-3-0x0000000074260000-0x000000007494E000-memory.dmp

    Filesize

    6.9MB