Overview

overview

8

Static

static

3

FluentWPF.dll

windows10-ltsc 2021-x64

1

M Centers.exe

windows10-ltsc 2021-x64

8

M Centers.exe.config

windows10-ltsc 2021-x64

3

M Centers.pdb

windows10-ltsc 2021-x64

3

MCentersLibrary.dll

windows10-ltsc 2021-x64

1

MCentersLibrary.pdb

windows10-ltsc 2021-x64

3

MaterialDe...rs.dll

windows10-ltsc 2021-x64

1

MaterialDe...pf.dll

windows10-ltsc 2021-x64

1

MaterialDe...pf.xml

windows10-ltsc 2021-x64

3

Analysis

  • max time kernel
    285s
  • max time network
    285s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02-12-2024 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    M Centers.exe

  • Size

    1.6MB

  • MD5

    1d3d75fa1c81b55d68500d95a92807fb

  • SHA1

    c45be1e05788005a24e4c73628d1f85003890957

  • SHA256

    5f405489a7f6c67bbcc130ebbb272a99bde94b0d01b1b958f6f05580fb58a2d3

  • SHA512

    b910ed4d71503d888d004b28b4991f8d5b8635ad0fb708cc987f4996a1f4e6ee22469f0c9c29946913988fea3163c5f6e313fdf643249eba4adf9d5df0cfcc83

  • SSDEEP

    49152:Lj2I6gR13Be4vZ+5o12w1cRTTQAwnnsn3nmB:nPRNXBGhw1wTEAwnnsn3nmB

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Downloads MZ/PE file
  • Possible privilege escalation attempt 8 IoCs
    exploit
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\M Centers.exe
    "C:\Users\Admin\AppData\Local\Temp\M Centers.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\System32\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4304
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4580
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:760
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1236
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\System32\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1992
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4376
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3160
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MCenters\Methods\Dll\19041.4355\x64\Windows.ApplicationModel.Store.dll
    Filesize

    2.2MB

    MD5

    72f99d7440de5f00e5a2129635fe2223

    SHA1

    9d0260c28290307afc6c6b06dcefdb1bfb6416ed

    SHA256

    30c62d555a7f924aa691c95fbf022c7a995d5f6a7296ac03e083379c8bd7193e

    SHA512

    b8ebeabf6f6f94b7cf489c5c9d6c63962fbf91946fec6029e44df6c557595ea174ddefcbce1601241c090fd400b5d2e1d472fa18a75925513f38c5ec6e221c6c

    Download Submit

  • C:\ProgramData\MCenters\Methods\Dll\19041.4355\x86\Windows.ApplicationModel.Store.dll
    Filesize

    1.6MB

    MD5

    e438c3dafd8c886aadcf1ef6264a0123

    SHA1

    d13bd03d1b7631a93680195863f87f6d382b828f

    SHA256

    eb9e1e06a847fe679d3c1a1f4b57fa492535dab75ef304fdd4f20550c3b0cd00

    SHA512

    651444178d1d7c8356c8eb6f8b6ed01e607ea2613f9f76f6d6d6edd961ce3d3b9dc3571e9d690fea39d54eb567751ed6eac920c98f00c0634743deca92fefdcd

    Download Submit

  • memory/1108-10-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-12-0x000001DB57BF0000-0x000001DB57BFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1108-5-0x000001DB550A0000-0x000001DB55A14000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/1108-4-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-6-0x000001DB54780000-0x000001DB547D4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1108-7-0x000001DB549A0000-0x000001DB54A5A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1108-8-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-9-0x000001DB57BB0000-0x000001DB57BB8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1108-0-0x00007FFEABC93000-0x00007FFEABC95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-3-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-11-0x000001DB58070000-0x000001DB580A8000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1108-13-0x00007FFEABC93000-0x00007FFEABC95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1108-14-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-15-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-16-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1108-2-0x000001DB53CE0000-0x000001DB53D1E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1108-1-0x000001DB37E30000-0x000001DB37FD4000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1108-31-0x00007FFEABC90000-0x00007FFEAC752000-memory.dmp

    Filesize

    10.8MB

    Download