Analysis
-
max time kernel
154s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 03:38
Static task
static1
Behavioral task
behavioral1
Sample
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
Resource
win7-20220812-en
General
-
Target
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
-
Size
24KB
-
MD5
284dccd7574ce63fdbbb5d8b3204bb6b
-
SHA1
cb7fefae68a90edc9051a7392ffef185fa304932
-
SHA256
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370
-
SHA512
16ce6fdd285805b7c011dfcc4b119b4fbf000b6f80c22cb112558499105c19b9f95c04744f72255ada0a583263bb0e341b9224e152c019e2e5e95999904e6955
-
SSDEEP
384:olBy/jZ+wOu1hhoz5nAoQKnnd1adMTqPobFlYM2hakiKf6siRbXLaQDHOH0pU2hs:oa/tjKzauTwobFu/iKel6z
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1296 takeown.exe 1096 icacls.exe 1640 takeown.exe 4396 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1296 takeown.exe 1096 icacls.exe 1640 takeown.exe 4396 icacls.exe -
Drops file in System32 directory 5 IoCs
Processes:
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe File opened for modification C:\Windows\SysWOW64\123BDB9.tmp fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe File created C:\Windows\SysWOW64\sxload.tmp fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe File opened for modification C:\Windows\SysWOW64\123B58A.tmp fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe -
Drops file in Program Files directory 1 IoCs
Processes:
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxyy.tmp fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 212 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe Token: SeTakeOwnershipPrivilege 1296 takeown.exe Token: SeTakeOwnershipPrivilege 1640 takeown.exe Token: SeDebugPrivilege 212 taskkill.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exepid process 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.execmd.execmd.exedescription pid process target process PID 4880 wrote to memory of 4140 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4880 wrote to memory of 4140 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4880 wrote to memory of 4140 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4140 wrote to memory of 1296 4140 cmd.exe takeown.exe PID 4140 wrote to memory of 1296 4140 cmd.exe takeown.exe PID 4140 wrote to memory of 1296 4140 cmd.exe takeown.exe PID 4140 wrote to memory of 1096 4140 cmd.exe icacls.exe PID 4140 wrote to memory of 1096 4140 cmd.exe icacls.exe PID 4140 wrote to memory of 1096 4140 cmd.exe icacls.exe PID 4880 wrote to memory of 4756 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4880 wrote to memory of 4756 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4880 wrote to memory of 4756 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4756 wrote to memory of 1640 4756 cmd.exe takeown.exe PID 4756 wrote to memory of 1640 4756 cmd.exe takeown.exe PID 4756 wrote to memory of 1640 4756 cmd.exe takeown.exe PID 4756 wrote to memory of 4396 4756 cmd.exe icacls.exe PID 4756 wrote to memory of 4396 4756 cmd.exe icacls.exe PID 4756 wrote to memory of 4396 4756 cmd.exe icacls.exe PID 4880 wrote to memory of 212 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe taskkill.exe PID 4880 wrote to memory of 212 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe taskkill.exe PID 4880 wrote to memory of 212 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe taskkill.exe PID 4880 wrote to memory of 1028 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4880 wrote to memory of 1028 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe PID 4880 wrote to memory of 1028 4880 fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe"C:\Users\Admin\AppData\Local\Temp\fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rasadhlp.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\midimap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\midimap.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "yy.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5f5392f065d83c6215708f4b59e16ef69
SHA1e4e451ee35970240dbef1bc14418f63e31336aa0
SHA25626e9d8f7227b9c7b5cfe88992be156ab2c27cc207b54cbfa28d3f4350890c57b
SHA512d900d4a6dc062d434986b609b42b41305d123635666f3698aab259c6e820e481c9d8cf562bab66c90e3365ffa0afb8421bf5ae232ef6c24c0d799bef91bae43b
-
memory/212-138-0x0000000000000000-mapping.dmp
-
memory/1028-139-0x0000000000000000-mapping.dmp
-
memory/1096-134-0x0000000000000000-mapping.dmp
-
memory/1296-133-0x0000000000000000-mapping.dmp
-
memory/1640-136-0x0000000000000000-mapping.dmp
-
memory/4140-132-0x0000000000000000-mapping.dmp
-
memory/4396-137-0x0000000000000000-mapping.dmp
-
memory/4756-135-0x0000000000000000-mapping.dmp