Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 11:24

General

  • Target

    ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe

  • Size

    409KB

  • MD5

    b23232263d0ff718419df3180d3d8670

  • SHA1

    194d700b79d7ffa681aaad1fd5010d788a4713ee

  • SHA256

    ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781

  • SHA512

    7c478b9cf4556539d8cd2a9165d11558a9957f7dc9ae25bd2380c02fa01e37061b6e5717d978eae87e7b074524b390d7f6a78d238240e3e1ffc45a259227c553

  • SSDEEP

    6144:YQMmbjV28okoS4oImBvIEtTawRbvbKw4IPCFRvzvU+Yrw:YWoioS/Z6H

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 40 IoCs
  • Modifies file permissions 1 TTPs 40 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 13 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe
    "C:\Users\Admin\AppData\Local\Temp\ffb7153f30e4206d3e369573d4e7fd7a3c79eab77ea2cf8f631f0dea7c3d1781N.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      2⤵
      • UAC bypass
      • Modifies registry key
      PID:2516
    • C:\Windows\System32\reg.exe
      "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      2⤵
      • Modifies registry key
      PID:1728
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\bfsvc.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\bfsvc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2116
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\HelpPane.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2400
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\HelpPane.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1292
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\hh.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\hh.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2260
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\splwow64.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\splwow64.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1964
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\winhlp32.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\winhlp32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:840
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\write.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\write.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2988
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\raserver.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\raserver.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:756
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msra.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msra.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2812
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\quickassist.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2996
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\quickassist.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2720
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdchange.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2984
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdchange.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2744
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\CameraSettingsUIHost.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\CameraSettingsUIHost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2628
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\logagent.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\logagent.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2888
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\rrinstaller.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\rrinstaller.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2832
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\gpscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\gpscript.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2592
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mavinject.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:584
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mavinject.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2240
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\provlaunch.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\provlaunch.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1748
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\msinfo32.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\msinfo32.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3064
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\runas.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\runas.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:780
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1832
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\mstsc.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2836
    • C:\Windows\System32\takeown.exe
      "C:\Windows\System32\takeown.exe" /S ZQABOPWE /U Admin /F "C:\Windows\SysWOW64\sdiagnhost.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1092
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\Windows\SysWOW64\sdiagnhost.exe" /INHERITANCE:e /GRANT:r Admin:(F)
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\6Yvub5VqoN.exe

    Filesize

    409KB

    MD5

    0df947b73c872296ea1dfc0edb053a63

    SHA1

    a4ac1ff54d2d2bd64e1b20fbecd6ea17bbd82c3b

    SHA256

    5f6b42abf6814fa58d2b44bec6899d173394c6a41536565deb93b20440f3b7d8

    SHA512

    6285d77529396d350de859f71529cd2abd15f31ce9498321b9bcb425a8f69ecbaab5681546211d870670c991176d3ae930dce2b515db0a8f133e058ca013c76a

  • memory/3020-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

    Filesize

    4KB

  • memory/3020-1-0x0000000000080000-0x00000000000A8000-memory.dmp

    Filesize

    160KB

  • memory/3020-2-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

    Filesize

    9.9MB

  • memory/3020-1132-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

    Filesize

    4KB

  • memory/3020-1269-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

    Filesize

    9.9MB

  • memory/3020-9181-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

    Filesize

    9.9MB