6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61

General

Target

6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
Size

69KB
MD5

6e0621eb5136a4f7648bfa86496f73d0
SHA1

784377ae95ebbbb245145b3533e05858c1b9fe8d
SHA256

6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61
SHA512

8a6ab4eae33eb67459365dde9f8f4cf36109c6dd60a225e11f0b0f063636bf2b6ad3f333702ed5fafbc84e269685b11b14e3a19fc07a6e47231337d343898a69
SSDEEP

1536:HOZqGZNz7/gNl5DFKDacNpXqjXCJPTKjJ8m:HObZNzTgfN5CVSJ8

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3600 takeown.exe
3940 icacls.exe

pid	process
3600	takeown.exe
3940	icacls.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3560-132-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3560-133-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/3560-137-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

5100 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3600 takeown.exe
3940 icacls.exe

pid	process
5100	regsvr32.exe

pid	process
3600	takeown.exe
3940	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exe

pid process

5100 regsvr32.exe
5100 regsvr32.exe
5100 regsvr32.exe
5100 regsvr32.exe
5100 regsvr32.exe
5100 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvr32.exetakeown.exe

description pid process

Token: SeDebugPrivilege 5100 regsvr32.exe
Token: SeTakeOwnershipPrivilege 3600 takeown.exe

pid	process
5100	regsvr32.exe
5100	regsvr32.exe
5100	regsvr32.exe
5100	regsvr32.exe
5100	regsvr32.exe
5100	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	5100	regsvr32.exe
Token: SeTakeOwnershipPrivilege	3600	takeown.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exeregsvr32.exe

description	pid	process	target process
PID 3560 wrote to memory of 5100	3560	6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe	regsvr32.exe
PID 3560 wrote to memory of 5100	3560	6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe	regsvr32.exe
PID 3560 wrote to memory of 5100	3560	6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe	regsvr32.exe
PID 5100 wrote to memory of 3600	5100	regsvr32.exe	takeown.exe
PID 5100 wrote to memory of 3600	5100	regsvr32.exe	takeown.exe
PID 5100 wrote to memory of 3600	5100	regsvr32.exe	takeown.exe
PID 5100 wrote to memory of 3940	5100	regsvr32.exe	icacls.exe
PID 5100 wrote to memory of 3940	5100	regsvr32.exe	icacls.exe
PID 5100 wrote to memory of 3940	5100	regsvr32.exe	icacls.exe
PID 5100 wrote to memory of 772	5100	regsvr32.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
"C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e573bf0.tmp ,C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~e573bf0.tmp
Filesize
1.0MB

MD5
e647d051edd7e89fd1ce555faf63b5cd

SHA1
97047dd6c77311c7c11e4f1a5bf9be0990643f6d

SHA256
6c1869e0f53b6fc35dac0e3c336bcb319817e4c77d3693ecafd1e77c39765874

SHA512
e6a101d25e0d66adaf6d632c3253a7ec34a00ae4d591df5a67665b8e5a79fc18c61418f13bdbf6215c6812a7fcf0b426c289b94a050155ea290395934e8c03ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\~~e573bf0.tmp
Filesize
1.0MB

MD5
e647d051edd7e89fd1ce555faf63b5cd

SHA1
97047dd6c77311c7c11e4f1a5bf9be0990643f6d

SHA256
6c1869e0f53b6fc35dac0e3c336bcb319817e4c77d3693ecafd1e77c39765874

SHA512
e6a101d25e0d66adaf6d632c3253a7ec34a00ae4d591df5a67665b8e5a79fc18c61418f13bdbf6215c6812a7fcf0b426c289b94a050155ea290395934e8c03ba

Download Submit
memory/3560-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3560-133-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3560-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3600-138-0x0000000000000000-mapping.dmp

Download
memory/3940-139-0x0000000000000000-mapping.dmp

Download
memory/5100-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads