Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 04:52
Behavioral task
behavioral1
Sample
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
Resource
win7-20220901-en
General
-
Target
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
-
Size
69KB
-
MD5
6e0621eb5136a4f7648bfa86496f73d0
-
SHA1
784377ae95ebbbb245145b3533e05858c1b9fe8d
-
SHA256
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61
-
SHA512
8a6ab4eae33eb67459365dde9f8f4cf36109c6dd60a225e11f0b0f063636bf2b6ad3f333702ed5fafbc84e269685b11b14e3a19fc07a6e47231337d343898a69
-
SSDEEP
1536:HOZqGZNz7/gNl5DFKDacNpXqjXCJPTKjJ8m:HObZNzTgfN5CVSJ8
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1064 takeown.exe 1148 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1740-56-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 1316 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 1316 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1064 takeown.exe 1148 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
regsvr32.exepid process 1316 regsvr32.exe 1316 regsvr32.exe 1316 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 1316 regsvr32.exe Token: SeTakeOwnershipPrivilege 1064 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exeregsvr32.exedescription pid process target process PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1740 wrote to memory of 1316 1740 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 1316 wrote to memory of 1064 1316 regsvr32.exe takeown.exe PID 1316 wrote to memory of 1064 1316 regsvr32.exe takeown.exe PID 1316 wrote to memory of 1064 1316 regsvr32.exe takeown.exe PID 1316 wrote to memory of 1064 1316 regsvr32.exe takeown.exe PID 1316 wrote to memory of 1148 1316 regsvr32.exe icacls.exe PID 1316 wrote to memory of 1148 1316 regsvr32.exe icacls.exe PID 1316 wrote to memory of 1148 1316 regsvr32.exe icacls.exe PID 1316 wrote to memory of 1148 1316 regsvr32.exe icacls.exe PID 1316 wrote to memory of 592 1316 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe"C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~6c0dd7.tmp ,C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~6c0dd7.tmpFilesize
1.0MB
MD5e647d051edd7e89fd1ce555faf63b5cd
SHA197047dd6c77311c7c11e4f1a5bf9be0990643f6d
SHA2566c1869e0f53b6fc35dac0e3c336bcb319817e4c77d3693ecafd1e77c39765874
SHA512e6a101d25e0d66adaf6d632c3253a7ec34a00ae4d591df5a67665b8e5a79fc18c61418f13bdbf6215c6812a7fcf0b426c289b94a050155ea290395934e8c03ba
-
\Users\Admin\AppData\Local\Temp\~~6c0dd7.tmpFilesize
1.0MB
MD5e647d051edd7e89fd1ce555faf63b5cd
SHA197047dd6c77311c7c11e4f1a5bf9be0990643f6d
SHA2566c1869e0f53b6fc35dac0e3c336bcb319817e4c77d3693ecafd1e77c39765874
SHA512e6a101d25e0d66adaf6d632c3253a7ec34a00ae4d591df5a67665b8e5a79fc18c61418f13bdbf6215c6812a7fcf0b426c289b94a050155ea290395934e8c03ba
-
memory/1064-60-0x0000000000000000-mapping.dmp
-
memory/1148-61-0x0000000000000000-mapping.dmp
-
memory/1316-55-0x0000000000000000-mapping.dmp
-
memory/1740-54-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1740-56-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB