Analysis
-
max time kernel
141s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2022 19:16
Static task
static1
Behavioral task
behavioral1
Sample
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Resource
win7-20221111-en
General
-
Target
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
-
Size
30KB
-
MD5
7f832522934d3034af0fcd529b7e1595
-
SHA1
85d3e42a2e1ddca118d572e416c2e5f619ec69f7
-
SHA256
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60
-
SHA512
3e56c0f98d0c04a9aeed6977ae908d04c19c2b945cfe301b619ddeae93879a8d084a0a6cfcaa5565b51c3e33d9cd4e1b98b74bf2c4ebc93b7c702abf1b1178d0
-
SSDEEP
768:WKHHTyxuINi6TqHIZfC917xi3+Meo0Nbw4lUubXkD:WkVkDG0fCnNqluplUkX
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4224 icacls.exe 1948 takeown.exe 1500 icacls.exe 1316 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1316 takeown.exe 4224 icacls.exe 1948 takeown.exe 1500 icacls.exe -
Drops file in System32 directory 5 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exedescription ioc process File created C:\Windows\SysWOW64\sxload.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File opened for modification C:\Windows\SysWOW64\1237D06.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File opened for modification C:\Windows\SysWOW64\12386AB.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe -
Drops file in Program Files directory 1 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxlzg.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1476 taskkill.exe 2040 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exetakeown.exetakeown.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe Token: SeTakeOwnershipPrivilege 1948 takeown.exe Token: SeTakeOwnershipPrivilege 1316 takeown.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exepid process 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.execmd.execmd.exedescription pid process target process PID 4660 wrote to memory of 2828 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 4660 wrote to memory of 2828 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 4660 wrote to memory of 2828 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 2828 wrote to memory of 1948 2828 cmd.exe takeown.exe PID 2828 wrote to memory of 1948 2828 cmd.exe takeown.exe PID 2828 wrote to memory of 1948 2828 cmd.exe takeown.exe PID 2828 wrote to memory of 1500 2828 cmd.exe icacls.exe PID 2828 wrote to memory of 1500 2828 cmd.exe icacls.exe PID 2828 wrote to memory of 1500 2828 cmd.exe icacls.exe PID 4660 wrote to memory of 1800 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 4660 wrote to memory of 1800 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 4660 wrote to memory of 1800 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 1800 wrote to memory of 1316 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 1316 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 1316 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 4224 1800 cmd.exe icacls.exe PID 1800 wrote to memory of 4224 1800 cmd.exe icacls.exe PID 1800 wrote to memory of 4224 1800 cmd.exe icacls.exe PID 4660 wrote to memory of 1476 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 4660 wrote to memory of 1476 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 4660 wrote to memory of 1476 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 4660 wrote to memory of 2040 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 4660 wrote to memory of 2040 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 4660 wrote to memory of 2040 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe taskkill.exe PID 4660 wrote to memory of 2068 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 4660 wrote to memory of 2068 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe PID 4660 wrote to memory of 2068 4660 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe"C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rasadhlp.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\midimap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\midimap.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "DragonNest.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "sdologin.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵PID:2068
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
253B
MD5b74f188b2d82efe793a3090383a132d3
SHA103a95e0afcfb9d857dbf9027eed31b3edb88c45e
SHA25637ad1799c78e1153d76d2c9d3e256866649e4e5d33233982f99b72fd77e974ce
SHA512af0f8230187d4727a6bb4a177888ea489613e05063befabc68740f5a39bc20fb8e4790317be489fcb7aa5695e5b182c85b88ba20abdb36e599af20b66a1f44fb
-
memory/1316-136-0x0000000000000000-mapping.dmp
-
memory/1476-138-0x0000000000000000-mapping.dmp
-
memory/1500-134-0x0000000000000000-mapping.dmp
-
memory/1800-135-0x0000000000000000-mapping.dmp
-
memory/1948-133-0x0000000000000000-mapping.dmp
-
memory/2040-139-0x0000000000000000-mapping.dmp
-
memory/2068-140-0x0000000000000000-mapping.dmp
-
memory/2828-132-0x0000000000000000-mapping.dmp
-
memory/4224-137-0x0000000000000000-mapping.dmp