Overview

overview

8

Static

static

3

FluentWPF.dll

windows10-ltsc 2021-x64

1

M Centers.exe

windows10-ltsc 2021-x64

8

MCentersLibrary.dll

windows10-ltsc 2021-x64

1

MaterialDe...rs.dll

windows10-ltsc 2021-x64

1

MaterialDe...pf.dll

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    02-12-2024 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    M Centers.exe

  • Size

    1.6MB

  • MD5

    1d3d75fa1c81b55d68500d95a92807fb

  • SHA1

    c45be1e05788005a24e4c73628d1f85003890957

  • SHA256

    5f405489a7f6c67bbcc130ebbb272a99bde94b0d01b1b958f6f05580fb58a2d3

  • SHA512

    b910ed4d71503d888d004b28b4991f8d5b8635ad0fb708cc987f4996a1f4e6ee22469f0c9c29946913988fea3163c5f6e313fdf643249eba4adf9d5df0cfcc83

  • SSDEEP

    49152:Lj2I6gR13Be4vZ+5o12w1cRTTQAwnnsn3nmB:nPRNXBGhw1wTEAwnnsn3nmB

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 8 IoCs
    exploit
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\M Centers.exe
    "C:\Users\Admin\AppData\Local\Temp\M Centers.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\System32\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:460
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1160
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4608
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3620
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\System32\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3224
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\System32\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4776
    • C:\Windows\SYSTEM32\takeown.exe
      "takeown.exe" /f C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /A
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1080
    • C:\Windows\SYSTEM32\icacls.exe
      "icacls.exe" C:\Windows\SysWOW64\Windows.ApplicationModel.Store.dll /grant *S-1-5-32-544:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1244-0-0x00007FFBD4353000-0x00007FFBD4355000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1244-1-0x000002A238A40000-0x000002A238BE4000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1244-3-0x000002A2548B0000-0x000002A2548EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1244-2-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-4-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-6-0x000002A255390000-0x000002A2553E4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1244-5-0x000002A255CB0000-0x000002A256624000-memory.dmp

    Filesize

    9.5MB

    Download

  • memory/1244-7-0x000002A2555B0000-0x000002A25566A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1244-8-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-9-0x000002A2587C0000-0x000002A2587C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1244-10-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-12-0x000002A258830000-0x000002A25883E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1244-11-0x000002A258860000-0x000002A258898000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1244-13-0x00007FFBD4353000-0x00007FFBD4355000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1244-14-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-15-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-16-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-17-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1244-19-0x000002A25CEB0000-0x000002A25CF45000-memory.dmp

    Filesize

    596KB

    Download

  • memory/1244-30-0x00007FFBD4350000-0x00007FFBD4E12000-memory.dmp

    Filesize

    10.8MB

    Download