b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef

General

Target

b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe
Size

281KB
MD5

72bc1b1d16ab187d81d41ff53b86f2b0
SHA1

3c023aad099a37f1cd8c40c05a47e2adcf9b5767
SHA256

b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef
SHA512

3b8f5210884ef84abbec99170fe9d8bb9b4a71629974d7d798051179332b9dbe93944b922b669c73abf75461fba69ade06292513a750e3587b02b9ba6d1e0bf6
SSDEEP

6144:Jq1AbgC11Cb2PfhTOt3ZuKtH1r4GjPIAx/HESg8R+:ncM1Cb2XlOtJ9tHiGj/x/kSgM+

Score

9^/10

discovery exploit

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\iykF355.tmp	acprotect

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

1320 icacls.exe
1700 takeown.exe
Loads dropped DLL 1 IoCs

Processes:

b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe

pid process

1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1700 takeown.exe
1320 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 1700 takeown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe

pid process

1964 b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe

pid	process
1320	icacls.exe
1700	takeown.exe

pid	process
1964	b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe

pid	process
1700	takeown.exe
1320	icacls.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1700	takeown.exe

pid	process
1964	b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 1692	1964	b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe	cmd.exe
PID 1964 wrote to memory of 1692	1964	b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe	cmd.exe
PID 1964 wrote to memory of 1692	1964	b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe	cmd.exe
PID 1964 wrote to memory of 1692	1964	b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe	cmd.exe
PID 1692 wrote to memory of 1700	1692	cmd.exe	takeown.exe
PID 1692 wrote to memory of 1700	1692	cmd.exe	takeown.exe
PID 1692 wrote to memory of 1700	1692	cmd.exe	takeown.exe
PID 1692 wrote to memory of 1700	1692	cmd.exe	takeown.exe
PID 1692 wrote to memory of 1320	1692	cmd.exe	icacls.exe
PID 1692 wrote to memory of 1320	1692	cmd.exe	icacls.exe
PID 1692 wrote to memory of 1320	1692	cmd.exe	icacls.exe
PID 1692 wrote to memory of 1320	1692	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe
"C:\Users\Admin\AppData\Local\Temp\b81e27e54c6825a5834067669815d21dfef0b720a44a81a5f9b1f57ea04f23ef.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\takeown.exe
takeown /F mingliu.ttc /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\icacls.exe
icacls mingliu.ttc /grant Administrators:(F)
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Tencent\QQPinyin\RenameTTX\x_0.bat
Filesize
254B

MD5
00a44a36512228fdd22f812ad21d6f26

SHA1
64d48adbbd2d942e2ea79b232cf0fe8995edcf51

SHA256
51bf22a92e82778eb0ea72b509ef0e25992fe218bae5f136dc95d01789297946

SHA512
f183f7d7784b667c4ec82ff64097453d26c9b94e10aad76a72b691ed14dcd2d0e37b7aaa2f7407f06d4b06b36b3d46a5bc22001c43ac5d99c95df19612e63f7e

Download Submit
\Users\Admin\AppData\Local\Temp\iykF355.tmp
Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/1320-61-0x0000000000000000-mapping.dmp

Download
memory/1692-56-0x0000000000000000-mapping.dmp

Download
memory/1700-59-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1964-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-60-0x0000000001B40000-0x0000000001BB3000-memory.dmp

Filesize
460KB

Download
memory/1964-62-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1964-63-0x0000000001B40000-0x0000000001BB3000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing