Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
Resource
win10v2004-20240508-en
General
-
Target
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe
-
Size
2.4MB
-
MD5
97f4bfce48908daf8548c94680cdd926
-
SHA1
b6921fa66184350511ffeac6f7a14308bf830928
-
SHA256
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1
-
SHA512
39ef56903b60a4a67b8863bb2ffdeed934ebe97e8223e16d7135017e20e07575e3a81076104bf37917b0ef6202a69335e66b0c137de83818fbdfb177d52b82e9
-
SSDEEP
49152:HQqiSbst0sL7R38+1uKnzzaKu4QHNHxU/lAZ1PXiEQMy2vm9ytkB4nX:xstZLNe5Hwl0kDB4n
Malware Config
Signatures
-
Processes:
ZBOYKWUZ.exeZBOYKWUZ.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" ZBOYKWUZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" ZBOYKWUZ.exe -
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exetakeown.exetakeown.exepid process 5008 icacls.exe 1624 takeown.exe 4824 takeown.exe -
Executes dropped EXE 3 IoCs
Processes:
ZBOYKWUZ.exeZBOYKWUZ.exeEs4.Deploy.exepid process 2280 ZBOYKWUZ.exe 3096 ZBOYKWUZ.exe 3852 Es4.Deploy.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exetakeown.exepid process 4824 takeown.exe 5008 icacls.exe 1624 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!! = "XTFZQDRU.exe VXYFCKXQC ZBOYKWUZ.exe" 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
ZBOYKWUZ.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ZBOYKWUZ.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini ZBOYKWUZ.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Windows\System32\ZBOYKWUZ.exe autoit_exe C:\Windows\System32\Es4.Deploy.exe autoit_exe -
Drops file in System32 directory 6 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exedescription ioc process File created C:\Windows\system32\Es4.Deploy.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File opened for modification C:\Windows\system32\Es4.Deploy.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File created C:\Windows\system32\ZBOYKWUZ.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File opened for modification C:\Windows\system32\ZBOYKWUZ.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File created C:\Windows\system32\XTFZQDRU.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File opened for modification C:\Windows\system32\XTFZQDRU.exe 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Drops file in Windows directory 2 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exedescription ioc process File created C:\Windows\ES4\Es4Set.step1\Es4Set.es4 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe File created C:\Windows\ES4\Es4Set.step2\Es4Set.es4 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
ZBOYKWUZ.exeZBOYKWUZ.exeEs4.Deploy.exepid process 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 2280 ZBOYKWUZ.exe 3096 ZBOYKWUZ.exe 3096 ZBOYKWUZ.exe 3096 ZBOYKWUZ.exe 3096 ZBOYKWUZ.exe 3852 Es4.Deploy.exe 3852 Es4.Deploy.exe 3096 ZBOYKWUZ.exe 3096 ZBOYKWUZ.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
reg.exereg.exetakeown.exedescription pid process Token: SeRestorePrivilege 4200 reg.exe Token: SeRestorePrivilege 2588 reg.exe Token: SeTakeOwnershipPrivilege 1624 takeown.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exepid process 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exepid process 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exeZBOYKWUZ.execmd.execmd.exeEs4.Deploy.exedescription pid process target process PID 3508 wrote to memory of 2280 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe ZBOYKWUZ.exe PID 3508 wrote to memory of 2280 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe ZBOYKWUZ.exe PID 2280 wrote to memory of 4200 2280 ZBOYKWUZ.exe reg.exe PID 2280 wrote to memory of 4200 2280 ZBOYKWUZ.exe reg.exe PID 2280 wrote to memory of 2588 2280 ZBOYKWUZ.exe reg.exe PID 2280 wrote to memory of 2588 2280 ZBOYKWUZ.exe reg.exe PID 2280 wrote to memory of 3464 2280 ZBOYKWUZ.exe cmd.exe PID 2280 wrote to memory of 3464 2280 ZBOYKWUZ.exe cmd.exe PID 3464 wrote to memory of 4824 3464 cmd.exe takeown.exe PID 3464 wrote to memory of 4824 3464 cmd.exe takeown.exe PID 3464 wrote to memory of 5008 3464 cmd.exe icacls.exe PID 3464 wrote to memory of 5008 3464 cmd.exe icacls.exe PID 2280 wrote to memory of 908 2280 ZBOYKWUZ.exe cmd.exe PID 2280 wrote to memory of 908 2280 ZBOYKWUZ.exe cmd.exe PID 908 wrote to memory of 1624 908 cmd.exe takeown.exe PID 908 wrote to memory of 1624 908 cmd.exe takeown.exe PID 2280 wrote to memory of 3096 2280 ZBOYKWUZ.exe ZBOYKWUZ.exe PID 2280 wrote to memory of 3096 2280 ZBOYKWUZ.exe ZBOYKWUZ.exe PID 3508 wrote to memory of 3852 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe Es4.Deploy.exe PID 3508 wrote to memory of 3852 3508 942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe Es4.Deploy.exe PID 3852 wrote to memory of 3772 3852 Es4.Deploy.exe cmd.exe PID 3852 wrote to memory of 3772 3852 Es4.Deploy.exe cmd.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
ZBOYKWUZ.exeZBOYKWUZ.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ZBOYKWUZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ZBOYKWUZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" ZBOYKWUZ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ZBOYKWUZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ZBOYKWUZ.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" ZBOYKWUZ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe"C:\Users\Admin\AppData\Local\Temp\942de49bc2304176b3eefae31a59726b3451c60fa9d0e817f3e0d79a25b15ca1.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ZBOYKWUZ.exeC:\Windows\system32\ZBOYKWUZ.exe2⤵
- UAC bypass
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe load HKEY_USERS\a C:\Users\Administrator\NTUSER.DAT3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe unload HKEY_USERS\a3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" && icacls "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" /grant administrators:F /t3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\ZBOYKWUZ.exeZBOYKWUZ.exe 2280 3508 03⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- System policy modification
-
C:\Windows\system32\Es4.Deploy.exeC:\Windows\system32\Es4.Deploy.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3096zboykwuFilesize
26KB
MD50c27221488e69caa0a441b30e5d6d46c
SHA182fceca6dbc8932d4bead6ce872965fac35d0c99
SHA256bae73fb2e8de92ae84565a2e98530a0584ade7bc69603f14906375a68f9fed3d
SHA5129ad868e0897475082c63e5fcca91594c4568f15e442907b21bcd844dc8022986995f895b97aa649e2a523d08a4c37a324447b48475c7bf816a1dce734988eaed
-
C:\Windows\System32\Es4.Deploy.exeFilesize
970KB
MD5ceaea72deefc6bce78f56efd6df30018
SHA1d9dd7dc3cf9b040f5add454a2eefc1e5d48a137c
SHA256e6c9beddaf2b77747834a6855ab88c43dc8feb5ad74e6da9d55e30a8e8299d63
SHA512e0b70a188f7bca695cf1e4a117dad94d76799b2187e03bf3a3ac78a015742aac845025e9ee6200379f357b6896a294a83ecbe4ce9d8eabdf25e2510088ca62ae
-
C:\Windows\System32\ZBOYKWUZ.exeFilesize
964KB
MD57359ea3476e9f5d7f5e6845007531b4b
SHA1ec48e75b6a03979a1af7d993c55a76bc5a7780fe
SHA25643b9150976b5087c92752fc6f81dedf5eca94f138090be18c712c17838d498cc
SHA51201317be797acca4ff1aa9bee3b34ad6b2456aa72a927a8cdf9ae5f6f969e9d197626ab150df82e28dc1b24a47d6ad7dd5bbc0714e834e0e444c4689e9b2da5ce