2a9b1c1f730c4146ff4356e3c5b6329ff5ea6f022d51146b61df8d276afd90df

Analysis

max time kernel
62s
max time network
36s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MicrosoftToolkit.exe
Size

317.1MB
MD5

d3086e8a000add3d507a72d464e82e4b
SHA1

16de80b98ac8cbb17863662fa1d02b6cd3151628
SHA256

2a9b1c1f730c4146ff4356e3c5b6329ff5ea6f022d51146b61df8d276afd90df
SHA512

6ed6edd5bc1604bdaecbb2b2181bdc5820d53d90477f47980aa14bbc1c081c0e178b524bb972e13df6fa134403d7ff3ac6fd6772857c32f69f7dd0efef0a839e
SSDEEP

196608:WXnfk307gaHtQJhl4b9m/yNhnrH1PY0Zh4e:WXn830cI+lr/yNhnrVPzh

Score

8^/10

discovery exploit spyware stealer upx

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

760 takeown.exe
2672 icacls.exe
2812 takeown.exe
1668 icacls.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe
Executes dropped EXE 2 IoCs

Processes:

Setup.exebootsect.exe

pid process

2260 Setup.exe
2820 bootsect.exe
Loads dropped DLL 1 IoCs

Processes:

MicrosoftToolkit.exe

pid process

2236 MicrosoftToolkit.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2812 takeown.exe
1668 icacls.exe
760 takeown.exe
2672 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
760	takeown.exe
2672	icacls.exe
2812	takeown.exe
1668	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe

pid	process
2260	Setup.exe
2820	bootsect.exe

pid	process
2236	MicrosoftToolkit.exe

pid	process
2812	takeown.exe
1668	icacls.exe
760	takeown.exe
2672	icacls.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Setup.exe	upx
behavioral1/memory/2236-17-0x0000000017170000-0x0000000017393000-memory.dmp	upx
behavioral1/memory/2260-21-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/2260-89-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/memory/2260-101-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MicrosoftToolkit.exe

pid process

2236 MicrosoftToolkit.exe
2236 MicrosoftToolkit.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2236	MicrosoftToolkit.exe
2236	MicrosoftToolkit.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftToolkit.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MicrosoftToolkit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MicrosoftToolkit.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Setup.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Setup.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MicrosoftToolkit.exeSetup.exe

pid process

2236 MicrosoftToolkit.exe
2260 Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Setup.exe

pid	process
2236	MicrosoftToolkit.exe
2260	Setup.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Setup.exetakeown.exetakeown.exe

description	pid	process
Token: 33	2260	Setup.exe
Token: SeIncBasePriorityPrivilege	2260	Setup.exe
Token: 33	2260	Setup.exe
Token: SeIncBasePriorityPrivilege	2260	Setup.exe
Token: SeTakeOwnershipPrivilege	760	takeown.exe
Token: SeTakeOwnershipPrivilege	2812	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.exe

pid process

2260 Setup.exe

pid	process
2260	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MicrosoftToolkit.exeSetup.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2236 wrote to memory of 2260	2236	MicrosoftToolkit.exe	Setup.exe
PID 2260 wrote to memory of 2588	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2588	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2588	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2588	2260	Setup.exe	cmd.exe
PID 2588 wrote to memory of 2400	2588	cmd.exe	cmd.exe
PID 2588 wrote to memory of 2400	2588	cmd.exe	cmd.exe
PID 2588 wrote to memory of 2400	2588	cmd.exe	cmd.exe
PID 2588 wrote to memory of 2400	2588	cmd.exe	cmd.exe
PID 2400 wrote to memory of 760	2400	cmd.exe	takeown.exe
PID 2400 wrote to memory of 760	2400	cmd.exe	takeown.exe
PID 2400 wrote to memory of 760	2400	cmd.exe	takeown.exe
PID 2400 wrote to memory of 760	2400	cmd.exe	takeown.exe
PID 2260 wrote to memory of 940	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 940	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 940	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 940	2260	Setup.exe	cmd.exe
PID 940 wrote to memory of 2672	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 2672	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 2672	940	cmd.exe	icacls.exe
PID 940 wrote to memory of 2672	940	cmd.exe	icacls.exe
PID 2260 wrote to memory of 936	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 936	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 936	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 936	2260	Setup.exe	cmd.exe
PID 936 wrote to memory of 2800	936	cmd.exe	cmd.exe
PID 936 wrote to memory of 2800	936	cmd.exe	cmd.exe
PID 936 wrote to memory of 2800	936	cmd.exe	cmd.exe
PID 936 wrote to memory of 2800	936	cmd.exe	cmd.exe
PID 2800 wrote to memory of 2812	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 2812	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 2812	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 2812	2800	cmd.exe	takeown.exe
PID 2260 wrote to memory of 2704	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2704	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2704	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2704	2260	Setup.exe	cmd.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	icacls.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	icacls.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	icacls.exe
PID 2704 wrote to memory of 1668	2704	cmd.exe	icacls.exe
PID 2260 wrote to memory of 1640	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 1640	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 1640	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 1640	2260	Setup.exe	cmd.exe
PID 1640 wrote to memory of 1708	1640	cmd.exe	cscript.exe
PID 1640 wrote to memory of 1708	1640	cmd.exe	cscript.exe
PID 1640 wrote to memory of 1708	1640	cmd.exe	cscript.exe
PID 2260 wrote to memory of 2948	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2948	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2948	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 2948	2260	Setup.exe	cmd.exe
PID 2948 wrote to memory of 2936	2948	cmd.exe	cscript.exe
PID 2948 wrote to memory of 2936	2948	cmd.exe	cscript.exe
PID 2948 wrote to memory of 2936	2948	cmd.exe	cscript.exe
PID 2260 wrote to memory of 768	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 768	2260	Setup.exe	cmd.exe
PID 2260 wrote to memory of 768	2260	Setup.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
4⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2672

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\ldrscan\bootwin
4⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\ldrscan\bootwin
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
3⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\icacls.exe
icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1668

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
3⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
4⤵
PID:1708

C:\Windows\system32\cmd.exe
cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
3⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
4⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "compact /u \\?\Volume{b9263cc3-28a0-11ef-8413-806e6f6e6963}\HBAQK"
3⤵
PID:768

C:\Windows\SysWOW64\compact.exe
compact /u \\?\Volume{b9263cc3-28a0-11ef-8413-806e6f6e6963}\HBAQK
4⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
3⤵
PID:1868

C:\bootsect.exe
C:\bootsect.exe /nt60 SYS /force
4⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:1368

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS
Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\bootsect.exe
Filesize
95KB

MD5
6230892eb4956ba523fe87e35687e772

SHA1
7c5850aeae751865a4981c26eb4e8378a17abd6d

SHA256
1c90b2d8138b8f68301c817f2d119cde629bf8d746b4d49238e460ddb6bc8fd8

SHA512
b9e416a56803ef91935d618367197631f657575bc38607c91af424e1414fc62b9e044dd384704bff643bd70721d754c8f6384605dfd548d5d3667567710dfe71

Download Submit
\??\Volume{b9263cc3-28a0-11ef-8413-806e6f6e6963}\HBAQK
Filesize
390KB

MD5
da484d4cc3f831a84fa8fa0a2f44d73b

SHA1
6f3acbd82137a49cb4115bbc32b321dd0c8cba57

SHA256
9381d50bd1f24c7a93c362803025790bd88c826491a4b8362484b30dde23385a

SHA512
352abc87f3334fb0fbb2d82b5f0207d8d0facc6ccc87c299161c4a7080fa0267c1974bf93d897ea143d7000823836e094c2900059c40923a1e63ad4b369fe4b9

Download Submit
\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
3.8MB

MD5
323c0fd51071400b51eedb1be90a8188

SHA1
0efc35935957c25193bbe9a83ab6caa25a487ada

SHA256
2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

SHA512
4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

Download Submit
memory/2236-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2236-0-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2236-5-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2236-7-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2236-9-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2236-10-0x00000000011F0000-0x00000000021F0000-memory.dmp

Filesize
16.0MB

Download
memory/2236-17-0x0000000017170000-0x0000000017393000-memory.dmp

Filesize
2.1MB

Download
memory/2236-4-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2260-22-0x0000000000640000-0x0000000000653000-memory.dmp

Filesize
76KB

Download
memory/2260-59-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2260-51-0x0000000000690000-0x00000000006A1000-memory.dmp

Filesize
68KB

Download
memory/2260-43-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2260-30-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2260-67-0x00000000006C0000-0x00000000006D0000-memory.dmp

Filesize
64KB

Download
memory/2260-89-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2260-35-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2260-21-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2260-101-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download