Analysis
-
max time kernel
31s -
max time network
2s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 04:52
Behavioral task
behavioral1
Sample
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
Resource
win7-20220901-en
General
-
Target
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe
-
Size
69KB
-
MD5
6e0621eb5136a4f7648bfa86496f73d0
-
SHA1
784377ae95ebbbb245145b3533e05858c1b9fe8d
-
SHA256
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61
-
SHA512
8a6ab4eae33eb67459365dde9f8f4cf36109c6dd60a225e11f0b0f063636bf2b6ad3f333702ed5fafbc84e269685b11b14e3a19fc07a6e47231337d343898a69
-
SSDEEP
1536:HOZqGZNz7/gNl5DFKDacNpXqjXCJPTKjJ8m:HObZNzTgfN5CVSJ8
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3600 takeown.exe 3940 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/3560-132-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/3560-133-0x0000000000400000-0x0000000000422000-memory.dmp upx behavioral2/memory/3560-137-0x0000000000400000-0x0000000000422000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 5100 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3600 takeown.exe 3940 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exepid process 5100 regsvr32.exe 5100 regsvr32.exe 5100 regsvr32.exe 5100 regsvr32.exe 5100 regsvr32.exe 5100 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 5100 regsvr32.exe Token: SeTakeOwnershipPrivilege 3600 takeown.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exeregsvr32.exedescription pid process target process PID 3560 wrote to memory of 5100 3560 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 3560 wrote to memory of 5100 3560 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 3560 wrote to memory of 5100 3560 6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe regsvr32.exe PID 5100 wrote to memory of 3600 5100 regsvr32.exe takeown.exe PID 5100 wrote to memory of 3600 5100 regsvr32.exe takeown.exe PID 5100 wrote to memory of 3600 5100 regsvr32.exe takeown.exe PID 5100 wrote to memory of 3940 5100 regsvr32.exe icacls.exe PID 5100 wrote to memory of 3940 5100 regsvr32.exe icacls.exe PID 5100 wrote to memory of 3940 5100 regsvr32.exe icacls.exe PID 5100 wrote to memory of 772 5100 regsvr32.exe svchost.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe"C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~e573bf0.tmp ,C:\Users\Admin\AppData\Local\Temp\6538bc84f6831ce66b0d0b39c80f73bd5155b487274e2dbf19958d8d76945d61.exe2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~e573bf0.tmpFilesize
1.0MB
MD5e647d051edd7e89fd1ce555faf63b5cd
SHA197047dd6c77311c7c11e4f1a5bf9be0990643f6d
SHA2566c1869e0f53b6fc35dac0e3c336bcb319817e4c77d3693ecafd1e77c39765874
SHA512e6a101d25e0d66adaf6d632c3253a7ec34a00ae4d591df5a67665b8e5a79fc18c61418f13bdbf6215c6812a7fcf0b426c289b94a050155ea290395934e8c03ba
-
C:\Users\Admin\AppData\Local\Temp\~~e573bf0.tmpFilesize
1.0MB
MD5e647d051edd7e89fd1ce555faf63b5cd
SHA197047dd6c77311c7c11e4f1a5bf9be0990643f6d
SHA2566c1869e0f53b6fc35dac0e3c336bcb319817e4c77d3693ecafd1e77c39765874
SHA512e6a101d25e0d66adaf6d632c3253a7ec34a00ae4d591df5a67665b8e5a79fc18c61418f13bdbf6215c6812a7fcf0b426c289b94a050155ea290395934e8c03ba
-
memory/3560-132-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3560-133-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3560-137-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3600-138-0x0000000000000000-mapping.dmp
-
memory/3940-139-0x0000000000000000-mapping.dmp
-
memory/5100-134-0x0000000000000000-mapping.dmp