Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 04:30
Static task
static1
Behavioral task
behavioral1
Sample
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe
Resource
win10v2004-20220812-en
General
-
Target
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe
-
Size
281KB
-
MD5
72bc1b1d16ab187d81d41ff53b86f2b0
-
SHA1
3c023aad099a37f1cd8c40c05a47e2adcf9b5767
-
SHA256
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef
-
SHA512
3b8f5210884ef84abbec99170fe9d8bb9b4a71629974d7d798051179332b9dbe93944b922b669c73abf75461fba69ade06292513a750e3587b02b9ba6d1e0bf6
-
SSDEEP
6144:Jq1AbgC11Cb2PfhTOt3ZuKtH1r4GjPIAx/HESg8R+:ncM1Cb2XlOtJ9tHiGj/x/kSgM+
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\iykF355.tmp acprotect -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 1320 icacls.exe 1700 takeown.exe -
Loads dropped DLL 1 IoCs
Processes:
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exepid process 1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1700 takeown.exe 1320 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1700 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exepid process 1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.execmd.exedescription pid process target process PID 1964 wrote to memory of 1692 1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe cmd.exe PID 1964 wrote to memory of 1692 1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe cmd.exe PID 1964 wrote to memory of 1692 1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe cmd.exe PID 1964 wrote to memory of 1692 1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe cmd.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1700 1692 cmd.exe takeown.exe PID 1692 wrote to memory of 1320 1692 cmd.exe icacls.exe PID 1692 wrote to memory of 1320 1692 cmd.exe icacls.exe PID 1692 wrote to memory of 1320 1692 cmd.exe icacls.exe PID 1692 wrote to memory of 1320 1692 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe"C:\Users\Admin\AppData\Local\Temp\b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F mingliu.ttc /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls mingliu.ttc /grant Administrators:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.batFilesize
254B
MD500a44a36512228fdd22f812ad21d6f26
SHA164d48adbbd2d942e2ea79b232cf0fe8995edcf51
SHA25651bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946
SHA512f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e
-
\Users\Admin\AppData\Local\Temp\iykF355.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
memory/1320-61-0x0000000000000000-mapping.dmp
-
memory/1692-56-0x0000000000000000-mapping.dmp
-
memory/1700-59-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1964-58-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1964-60-0x0000000001B40000-0x0000000001BB3000-memory.dmpFilesize
460KB
-
memory/1964-62-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1964-63-0x0000000001B40000-0x0000000001BB3000-memory.dmpFilesize
460KB