Analysis
-
max time kernel
33s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:23
Static task
static1
Behavioral task
behavioral1
Sample
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
Resource
win7-20220812-en
General
-
Target
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
-
Size
29KB
-
MD5
c196d786a061ac05f9545dd5824d7a62
-
SHA1
99c1bd4c85d1276fd4ddb502e924b0f65a0449a5
-
SHA256
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca
-
SHA512
dad86eba441ffbd832873fdb24e7631bcba270d5b809ed82b757d9e35a2d6b7cc32965c73ff91efd94c4db08e795117148ebfe917384dd6c8ec28652dcc5acbb
-
SSDEEP
384:YzdDhvRpxaD2uq96bcuZr775Lz71oQXDX4CcqhY0IZFk+Sde3nPG3CRJrG8O7kB:iZod+atLzxoaHcqpIkPI+Ui8kkB
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 820 takeown.exe 1048 icacls.exe 1872 takeown.exe 2004 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1048 icacls.exe 1872 takeown.exe 2004 icacls.exe 820 takeown.exe -
Drops file in System32 directory 7 IoCs
Processes:
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1232963.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe File opened for modification C:\Windows\syswow64\1232963.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe File opened for modification C:\Windows\SysWOW64\1233804.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe File opened for modification C:\Windows\syswow64\1233804.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe File created C:\Windows\SysWOW64\sxload.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe -
Drops file in Program Files directory 1 IoCs
Processes:
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxzt2.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1560 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exepid process 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe Token: SeTakeOwnershipPrivilege 820 takeown.exe Token: SeDebugPrivilege 1560 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exepid process 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.execmd.execmd.execmd.execmd.exedescription pid process target process PID 856 wrote to memory of 1104 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 1104 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 1104 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 1104 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 1104 wrote to memory of 936 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 936 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 936 1104 cmd.exe cmd.exe PID 1104 wrote to memory of 936 1104 cmd.exe cmd.exe PID 936 wrote to memory of 820 936 cmd.exe takeown.exe PID 936 wrote to memory of 820 936 cmd.exe takeown.exe PID 936 wrote to memory of 820 936 cmd.exe takeown.exe PID 936 wrote to memory of 820 936 cmd.exe takeown.exe PID 1104 wrote to memory of 1048 1104 cmd.exe icacls.exe PID 1104 wrote to memory of 1048 1104 cmd.exe icacls.exe PID 1104 wrote to memory of 1048 1104 cmd.exe icacls.exe PID 1104 wrote to memory of 1048 1104 cmd.exe icacls.exe PID 856 wrote to memory of 1020 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 1020 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 1020 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 1020 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 1020 wrote to memory of 572 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 572 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 572 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 572 1020 cmd.exe cmd.exe PID 572 wrote to memory of 1872 572 cmd.exe takeown.exe PID 572 wrote to memory of 1872 572 cmd.exe takeown.exe PID 572 wrote to memory of 1872 572 cmd.exe takeown.exe PID 572 wrote to memory of 1872 572 cmd.exe takeown.exe PID 1020 wrote to memory of 2004 1020 cmd.exe icacls.exe PID 1020 wrote to memory of 2004 1020 cmd.exe icacls.exe PID 1020 wrote to memory of 2004 1020 cmd.exe icacls.exe PID 1020 wrote to memory of 2004 1020 cmd.exe icacls.exe PID 856 wrote to memory of 1560 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe taskkill.exe PID 856 wrote to memory of 1560 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe taskkill.exe PID 856 wrote to memory of 1560 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe taskkill.exe PID 856 wrote to memory of 1560 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe taskkill.exe PID 856 wrote to memory of 524 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 524 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 524 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe PID 856 wrote to memory of 524 856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe"C:\Users\Admin\AppData\Local\Temp\25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\syswow64"3⤵
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\syswow64"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\syswow64" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1048 -
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\syswow64"3⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\syswow64"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1872 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\syswow64" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "zhengtu2.dat"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SysWOW64\cmd.execmd /c 1.bat2⤵
- Deletes itself
PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5f4d20f7a63ccb80d4c980935c0b39b0c
SHA14763f70872c293ce4a4d617de55ebb0ff3ccf7bc
SHA25670c13a66b4eeba3f8012cd48d17b98f31b601a4427e55e192be5a783e6bf81e5
SHA512c406975c25e9e55004fb73a07cd73a6035ceec0702442a13fd33912266634c5eb8a56ad141065cc75545e533477d4fa4ef3681c300a6d653aac7d64663aa8a8b
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD5521e37256443e6b3f2281f217476bf79
SHA181f0e2b65605f070782cbe241569c6b9a25bb9dc
SHA25679ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f
SHA51223096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD5521e37256443e6b3f2281f217476bf79
SHA181f0e2b65605f070782cbe241569c6b9a25bb9dc
SHA25679ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f
SHA51223096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025
-
C:\Windows\SysWOW64\dllcache\rasadhlp.dllFilesize
11KB
MD55196a8ad60443db7b57e5c742b545154
SHA19bbd9d8604ccb95b3e753ebac5ce3efb9fa4496c
SHA256a03ceab4de64945f89d51da7c49b75e778d947c1ae83d98cdf201e24690ce2ab
SHA512810f327859cc5f54ebed93b28dff785513efffc891d0e1829c0f468d7c315d6ba5600a91e18c23b02a5cbf04ba250bd2e40e9cea1d356b190d4e5894b355c4a8
-
C:\Windows\SysWOW64\rasadhlp.dllFilesize
11KB
MD55196a8ad60443db7b57e5c742b545154
SHA19bbd9d8604ccb95b3e753ebac5ce3efb9fa4496c
SHA256a03ceab4de64945f89d51da7c49b75e778d947c1ae83d98cdf201e24690ce2ab
SHA512810f327859cc5f54ebed93b28dff785513efffc891d0e1829c0f468d7c315d6ba5600a91e18c23b02a5cbf04ba250bd2e40e9cea1d356b190d4e5894b355c4a8
-
memory/524-74-0x0000000000000000-mapping.dmp
-
memory/572-65-0x0000000000000000-mapping.dmp
-
memory/820-58-0x0000000000000000-mapping.dmp
-
memory/856-60-0x0000000074C61000-0x0000000074C63000-memory.dmpFilesize
8KB
-
memory/856-61-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/936-57-0x0000000000000000-mapping.dmp
-
memory/1020-63-0x0000000000000000-mapping.dmp
-
memory/1048-59-0x0000000000000000-mapping.dmp
-
memory/1104-55-0x0000000000000000-mapping.dmp
-
memory/1560-73-0x0000000000000000-mapping.dmp
-
memory/1872-66-0x0000000000000000-mapping.dmp
-
memory/2004-67-0x0000000000000000-mapping.dmp