Analysis
-
max time kernel
21s -
max time network
115s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe
Resource
win10v2004-20220812-en
General
-
Target
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe
-
Size
281KB
-
MD5
62154ee3e60c718a0d45217c715314fd
-
SHA1
e10f8a8502c19baf62039cae898e4246b65a1d59
-
SHA256
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6
-
SHA512
7065336cbef8759f7a7c13067b311efc97c80a54eaeb028891f73e4bf5bfba566cfcd6b973ed36e92ecef87bb79dc03d0a3e213d98849f25e8e95dbe47f0bde5
-
SSDEEP
6144:zq1Abgq11DTfRYnXNmXOBsyRRDz1PkVOAvj5Rmq9I:BcU1DywXesKdk/5Rmq9I
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\xik55EE.tmp acprotect -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1192 takeown.exe 1744 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exepid process 1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1192 takeown.exe 1744 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1192 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exepid process 1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.execmd.exedescription pid process target process PID 1352 wrote to memory of 1272 1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe cmd.exe PID 1352 wrote to memory of 1272 1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe cmd.exe PID 1352 wrote to memory of 1272 1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe cmd.exe PID 1352 wrote to memory of 1272 1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe cmd.exe PID 1272 wrote to memory of 1192 1272 cmd.exe takeown.exe PID 1272 wrote to memory of 1192 1272 cmd.exe takeown.exe PID 1272 wrote to memory of 1192 1272 cmd.exe takeown.exe PID 1272 wrote to memory of 1192 1272 cmd.exe takeown.exe PID 1272 wrote to memory of 1744 1272 cmd.exe icacls.exe PID 1272 wrote to memory of 1744 1272 cmd.exe icacls.exe PID 1272 wrote to memory of 1744 1272 cmd.exe icacls.exe PID 1272 wrote to memory of 1744 1272 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe"C:\Users\Admin\AppData\Local\Temp\fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
\Users\Admin\AppData\Local\Temp\xik55EE.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
memory/1192-60-0x0000000000000000-mapping.dmp
-
memory/1272-56-0x0000000000000000-mapping.dmp
-
memory/1352-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1352-57-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1352-58-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/1352-62-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1352-63-0x0000000000230000-0x00000000002A3000-memory.dmpFilesize
460KB
-
memory/1744-61-0x0000000000000000-mapping.dmp