Analysis

  • max time kernel
    106s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 13:43

General

  • Target

    280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe

  • Size

    34KB

  • MD5

    78cf3240cde4b1a491f16b61b66b5990

  • SHA1

    80e488f19c6c572080893dd75c4a5dbc3393c7bb

  • SHA256

    280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31b

  • SHA512

    3c170762e75804da5d4c2df6f3ed36390e11037443b4f0cbc8a7feb8bd7e0e9d050a0fa11a0d05de2348fc6af0b4f7feb15e3fe61e89cdf78ee90b42acb5bcd7

  • SSDEEP

    768:PumRjoV0l6yzJT+yeZoV0l6yzJT+yez+ZtYcFA/Vc6K:WTV04qxBjV04qxB4+Z8Vcl

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 16 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe
    "C:\Users\Admin\AppData\Local\Temp\280726bc2581c404537657892f885744bf8077a2cf7fb36281afc5897f26b31bN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im OpenConsole.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im OpenConsole.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /t /f /im WindowsTerminal.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /t /f /im WindowsTerminal.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im regedit.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im regedit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2620
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im cmd.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4324
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im taskmgr.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im taskmgr.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\regedit.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:804
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\regedit.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4036
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\regedit.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\regedit.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4344
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\cmd.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\cmd.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3416
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\cmd.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2200
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\WindowsPowerShell\*.* /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\*.* /grant %username%:F /t
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\WindowsPowerShell\*.* /grant Admin:F /t
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4880
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2596
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\SysWOW64\WindowsPowerShell\*.* /r /d y
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4072
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant %username%:F /t
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2868
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\SysWOW64\WindowsPowerShell\*.* /grant Admin:F /t
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4660
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\regedt32.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3648
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\regedt32.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4428
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\regedt32.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4796
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\regedt32.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2856
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\reg.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3868
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\reg.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\reg.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:372
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\reg.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4548
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2584
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:680
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4176
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3356
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4004
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant %username%:F
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1092
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:3544

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3564-0-0x000000007537E000-0x000000007537F000-memory.dmp

    Filesize

    4KB

  • memory/3564-1-0x0000000000B60000-0x0000000000B6E000-memory.dmp

    Filesize

    56KB

  • memory/3564-2-0x0000000005AD0000-0x0000000006074000-memory.dmp

    Filesize

    5.6MB

  • memory/3564-3-0x00000000055C0000-0x0000000005652000-memory.dmp

    Filesize

    584KB

  • memory/3564-4-0x0000000005570000-0x000000000557A000-memory.dmp

    Filesize

    40KB

  • memory/3564-5-0x0000000075370000-0x0000000075B20000-memory.dmp

    Filesize

    7.7MB

  • memory/3564-6-0x000000007537E000-0x000000007537F000-memory.dmp

    Filesize

    4KB

  • memory/3564-7-0x0000000075370000-0x0000000075B20000-memory.dmp

    Filesize

    7.7MB