Overview

overview

8

Static

static

4d10706f71...7a.exe

windows7-x64

7

4d10706f71...7a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 19:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe

  • Size

    42KB

  • MD5

    444072ec68d9dad8de5f9060c74e3b90

  • SHA1

    f3845470366d4ce52a18492f279e3a89ef25e485

  • SHA256

    4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a

  • SHA512

    52d3f0d91f60a0b28e4035be23d743fedcc233025548d3c063350d8cfb6d57d920377e71561ce0fbdf60cc96ca8d7d449878e68f9d513e5b04701ee9eddfa247

  • SSDEEP

    768:4Hfw7mQfGl0LapVukH8vRQ502qO5tLi9QyDGTUtGRbipTLZgRLSusE3:6g60G2FpQ502HjcGCZgou

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe
    "C:\Users\Admin\AppData\Local\Temp\4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Windows\system32\rasadhlp.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4696
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4856
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f "C:\Windows\system32\midimap.dll"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\SysWOW64\icacls.exe
        icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:8
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "MSango.bin"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:872
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im "MSango.bin"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4504
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 1.bat
      2⤵
        PID:4716

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1.bat
      Filesize

      251B

      MD5

      375f11386030bf440c1058b8c43b8efe

      SHA1

      a417c674134155403da4240e487060739a0487a6

      SHA256

      a878487c1e39d76495de1bbdced349fe0e47373628a8969a36210f8f0adf62f8

      SHA512

      623c13cfe74c58e2435063c7bd171a31548a8b49d84789147e87e31198449e804d717f84b69669377d69d67237d44336dc7877e96ef2f08c13c053b8f7809ac7

      Download Submit
    • memory/8-137-0x0000000000000000-mapping.dmp
      Download
    • memory/872-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3052-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4128-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4504-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4632-132-0x0000000000000000-mapping.dmp
      Download
    • memory/4696-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4716-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4856-134-0x0000000000000000-mapping.dmp
      Download