fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6

General

Target

fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe
Size

281KB
MD5

62154ee3e60c718a0d45217c715314fd
SHA1

e10f8a8502c19baf62039cae898e4246b65a1d59
SHA256

fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6
SHA512

7065336cbef8759f7a7c13067b311efc97c80a54eaeb028891f73e4bf5bfba566cfcd6b973ed36e92ecef87bb79dc03d0a3e213d98849f25e8e95dbe47f0bde5
SSDEEP

6144:zq1Abgq11DTfRYnXNmXOBsyRRDz1PkVOAvj5Rmq9I:BcU1DywXesKdk/5Rmq9I

Score

9^/10

discovery exploit

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\xik55EE.tmp	acprotect

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1192 takeown.exe
1744 icacls.exe
Loads dropped DLL 1 IoCs

Processes:

fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe

pid process

1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1192 takeown.exe
1744 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 1192 takeown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe

pid process

1352 fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe

pid	process
1192	takeown.exe
1744	icacls.exe

pid	process
1352	fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe

pid	process
1192	takeown.exe
1744	icacls.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1192	takeown.exe

pid	process
1352	fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 1272	1352	fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe	cmd.exe
PID 1352 wrote to memory of 1272	1352	fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe	cmd.exe
PID 1352 wrote to memory of 1272	1352	fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe	cmd.exe
PID 1352 wrote to memory of 1272	1352	fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe	cmd.exe
PID 1272 wrote to memory of 1192	1272	cmd.exe	takeown.exe
PID 1272 wrote to memory of 1192	1272	cmd.exe	takeown.exe
PID 1272 wrote to memory of 1192	1272	cmd.exe	takeown.exe
PID 1272 wrote to memory of 1192	1272	cmd.exe	takeown.exe
PID 1272 wrote to memory of 1744	1272	cmd.exe	icacls.exe
PID 1272 wrote to memory of 1744	1272	cmd.exe	icacls.exe
PID 1272 wrote to memory of 1744	1272	cmd.exe	icacls.exe
PID 1272 wrote to memory of 1744	1272	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe
"C:\Users\Admin\AppData\Local\Temp\fcc1198ac9c7cf7c8a36b3b512c680c9a453dc7d78c454e3e32f4005750f01d6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\takeown.exe
takeown /F mingliu.ttc /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\icacls.exe
icacls mingliu.ttc /grant Administrators:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat
Filesize
254B

MD5
00a44a36512228fdd22f812ad21d6f26

SHA1
64d48adbbd2d942e2ea79b232cf0fe8995edcf51

SHA256
51bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946

SHA512
f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e

Download Submit
\Users\Admin\AppData\Local\Temp\xik55EE.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1192-60-0x0000000000000000-mapping.dmp

Download
memory/1272-56-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1352-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-58-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/1352-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1352-63-0x0000000000230000-0x00000000002A3000-memory.dmp

Filesize
460KB

Download
memory/1744-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing