8ddf1932be354b3e2ab38bb68c07422aac94645e492a7a61cb04149f799a7cb0

General

Target

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe
Size

9.6MB
MD5

699bdbd2b656d80d8e8a467025536d52
SHA1

cb4a2a7f3b39fc41ce0d935e7851117422364c76
SHA256

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b
SHA512

0589ad9ee15411f5de41ef6570515b0b320a3cae040e70f94bb56ecb85292be561ac05f37891fe913c26045ac5058118daa7f3c66681458ecb693bdbfb65758f
SSDEEP

196608:mZNNPxSRvMx1GffQf0DQR3FkiUzD30xs7LpLJwN7aIH/avHwjwh2FrfX6:mZN17GffEJRSiUfZXptOWq/3s2FX

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmpFWCapUpdate_v42.exeMEInfoWin64.exe

pid process

2196 2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
4940 FWCapUpdate_v42.exe
4364 MEInfoWin64.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exe

pid process

4960 icacls.exe
2092 takeown.exe
3976 icacls.exe
1628 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exe

pid process

1628 icacls.exe
4960 icacls.exe
2092 takeown.exe
3976 icacls.exe

pid	process
4960	icacls.exe
2092	takeown.exe
3976	icacls.exe
1628	icacls.exe

pid	process
1628	icacls.exe
4960	icacls.exe
2092	takeown.exe
3976	icacls.exe

Drops file in Windows directory 2 IoCs

Processes:

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp

description	ioc	process
File created	C:\Windows\TempInst\is-J5CAM.tmp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe
File created	C:\Windows\TempInst\is-RL92F.tmp\_isetup\_setup64.tmp	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MEInfoWin64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	MEInfoWin64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	MEInfoWin64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	MEInfoWin64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	MEInfoWin64.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3364 schtasks.exe
4348 schtasks.exe

pid	process
3364	schtasks.exe
4348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp

pid	process
2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp

pid process

2196 2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmpFWCapUpdate_v42.exe

description	pid	process	target process
PID 1944 wrote to memory of 2196	1944	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
PID 1944 wrote to memory of 2196	1944	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
PID 1944 wrote to memory of 2196	1944	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
PID 2196 wrote to memory of 2092	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	takeown.exe
PID 2196 wrote to memory of 2092	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	takeown.exe
PID 2196 wrote to memory of 3976	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	icacls.exe
PID 2196 wrote to memory of 3976	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	icacls.exe
PID 2196 wrote to memory of 1628	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	icacls.exe
PID 2196 wrote to memory of 1628	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	icacls.exe
PID 2196 wrote to memory of 4960	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	icacls.exe
PID 2196 wrote to memory of 4960	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	icacls.exe
PID 2196 wrote to memory of 3364	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 3364	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 3524	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 3524	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 4348	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 4348	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 888	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 888	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	schtasks.exe
PID 2196 wrote to memory of 4940	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	FWCapUpdate_v42.exe
PID 2196 wrote to memory of 4940	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	FWCapUpdate_v42.exe
PID 2196 wrote to memory of 4940	2196	2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp	FWCapUpdate_v42.exe
PID 4940 wrote to memory of 4364	4940	FWCapUpdate_v42.exe	MEInfoWin64.exe
PID 4940 wrote to memory of 4364	4940	FWCapUpdate_v42.exe	MEInfoWin64.exe

C:\Users\Admin\AppData\Local\Temp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe
"C:\Users\Admin\AppData\Local\Temp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\TempInst\is-J5CAM.tmp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
"C:\Windows\TempInst\is-J5CAM.tmp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp" /SL5="$801BE,9284365,180224,C:\Users\Admin\AppData\Local\Temp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /f C:\DRIVERS /a /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2092

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" C:\DRIVERS /reset /T /C /L /Q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3976

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" C:\DRIVERS /inheritance:e /grant:r *S-1-5-32-544:(OI)(CI)F *S-1-5-18:(OI)(CI)F *S-1-5-32-545:(OI)(CI)RX /T /C /L /Q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1628

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" C:\DRIVERS /inheritance:r /C /L /Q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4960

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /CREATE /XML C:\DRIVERS\WIN\ME\20220311.16244040\DeleteFolder.xml /TN "\LenovoCleanupFolder-20220311.162507"
3⤵
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /CHANGE /TN "\LenovoCleanupFolder-20220311.162507" /TR "C:\Windows\system32\cmd.exe /C 'rd /s /q C:\DRIVERS\WIN\ME\20220311.16244040\"
3⤵
PID:3524

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /CREATE /XML C:\DRIVERS\WIN\ME\20220311.16244040\DeleteTasks.xml /TN "\LenovoCleanupTasks-20220311.162507"
3⤵
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /CHANGE /TN "\LenovoCleanupTasks-20220311.162507" /TR "C:\Windows\system32\cmd.exe /C 'C:\Windows\system32\schtasks.exe /Delete /TN LenovoCleanupFolder-20220311.162507 /F && C:\Windows\system32\schtasks.exe /Delete /TN LenovoCleanupTasks-20220311.162507 /F'"
3⤵
PID:888

C:\DRIVERS\WIN\ME\20220311.16244040\FWCapUpdate_v42.exe
"C:\DRIVERS\WIN\ME\20220311.16244040\FWCapUpdate_v42.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940

C:\DRIVERS\WIN\ME\20220311.16244040\MEInfoWin64.exe
"MEInfoWin64.exe" -fwsts
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DRIVERS\WIN\ME\20220311.16244040\Config.ini
Filesize
374B

MD5
473bf74fab173e3612c44f05e376dda7

SHA1
e9974bed8f7b07d3679ca4cef4b9ef5021eb44b3

SHA256
c39d95bb3ed078feffa8cada92f84572dfd8931fd76dcf6b39b8a87bb6fd408a

SHA512
691818c54ca5e4457755561bac543b67e7e50ef81eb5a940679324c67a93de78c4764585bfafc35a91875e3f4bd2eafb3154b0c37f636a790f7a3c3c9d4cad99

Download Submit
C:\DRIVERS\WIN\ME\20220311.16244040\FWCapUpdate_v42.exe
Filesize
49KB

MD5
5e1e1d2a8a7108c90fcea38b0dd27ddf

SHA1
2827ddd78f28e9831e59cbf4e2fa480ac0afd005

SHA256
02317c60bbd56833049628ffff62e7032b76127d8f7c74341f2d9d38ae8ff36d

SHA512
b5778f3bec038ee67ea93f80c4f60a9a83b1a1796a35af496ad15214f91e992ac631675933981d3f3c27665f131a8506f301d1da75a13abcc9076267eef496a6

Download Submit
C:\DRIVERS\WIN\ME\20220311.16244040\FWCapUpdate_v42.exe
Filesize
49KB

MD5
5e1e1d2a8a7108c90fcea38b0dd27ddf

SHA1
2827ddd78f28e9831e59cbf4e2fa480ac0afd005

SHA256
02317c60bbd56833049628ffff62e7032b76127d8f7c74341f2d9d38ae8ff36d

SHA512
b5778f3bec038ee67ea93f80c4f60a9a83b1a1796a35af496ad15214f91e992ac631675933981d3f3c27665f131a8506f301d1da75a13abcc9076267eef496a6

Download Submit
C:\DRIVERS\WIN\ME\20220311.16244040\MEInfoWin64.exe
Filesize
2.2MB

MD5
33a03b105494fefceb9822adacb280b6

SHA1
8d44c5ea16ee6ab00d6530afb89d34d5bc22f705

SHA256
63989958c18265078f585bdbdb3d3b99765ec61ac7e3aa576883d97db3d35257

SHA512
42a8591166fdf21cab13d11c87a68a0a16829de143814347deb55b24dbaa03409f74a1f837e04aa8ce9ab568c89d009d88f124e76416f39d8d5ebd1843fb12c8

Download Submit
C:\DRIVERS\WIN\ME\20220311.16244040\MEInfoWin64.exe
Filesize
2.2MB

MD5
33a03b105494fefceb9822adacb280b6

SHA1
8d44c5ea16ee6ab00d6530afb89d34d5bc22f705

SHA256
63989958c18265078f585bdbdb3d3b99765ec61ac7e3aa576883d97db3d35257

SHA512
42a8591166fdf21cab13d11c87a68a0a16829de143814347deb55b24dbaa03409f74a1f837e04aa8ce9ab568c89d009d88f124e76416f39d8d5ebd1843fb12c8

Download Submit
C:\Windows\TempInst\is-J5CAM.tmp\2da0f43e59c603b946f4e03c2cd44ad85de9e8df9b3d0cc8af166edcb5ba057b.tmp
Filesize
2.8MB

MD5
5874ed6c6fdc30e613302986486f606f

SHA1
5347de369a045ba5c8e3bedc3a87a370cf2cff7b

SHA256
5afa900bdf179f05d50930e2a299cfffccec93d2a3dfb4e203910c2dddbeb846

SHA512
adfdabf349b8aef5b55526a564ac1352c44cec2121a075c8d24fb5a4971383dd0a04ad83b47a0979c322a458dc75e0fac35b25a7309fb12df1ade33db012a6b5

Download Submit
memory/888-145-0x0000000000000000-mapping.dmp

Download
memory/1628-140-0x0000000000000000-mapping.dmp

Download
memory/1944-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-157-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-132-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2092-138-0x0000000000000000-mapping.dmp

Download
memory/2196-134-0x0000000000000000-mapping.dmp

Download
memory/3364-142-0x0000000000000000-mapping.dmp

Download
memory/3524-143-0x0000000000000000-mapping.dmp

Download
memory/3976-139-0x0000000000000000-mapping.dmp

Download
memory/4348-144-0x0000000000000000-mapping.dmp

Download
memory/4364-154-0x0000000000000000-mapping.dmp

Download
memory/4940-150-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/4940-151-0x0000000004A80000-0x0000000004B12000-memory.dmp

Filesize
584KB

Download
memory/4940-152-0x0000000004A30000-0x0000000004A3A000-memory.dmp

Filesize
40KB

Download
memory/4940-149-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/4940-146-0x0000000000000000-mapping.dmp

Download
memory/4960-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads