Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:53
Static task
static1
Behavioral task
behavioral1
Sample
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe
Resource
win7-20221111-en
General
-
Target
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe
-
Size
42KB
-
MD5
444072ec68d9dad8de5f9060c74e3b90
-
SHA1
f3845470366d4ce52a18492f279e3a89ef25e485
-
SHA256
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a
-
SHA512
52d3f0d91f60a0b28e4035be23d743fedcc233025548d3c063350d8cfb6d57d920377e71561ce0fbdf60cc96ca8d7d449878e68f9d513e5b04701ee9eddfa247
-
SSDEEP
768:4Hfw7mQfGl0LapVukH8vRQ502qO5tLi9QyDGTUtGRbipTLZgRLSusE3:6g60G2FpQ502HjcGCZgou
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4696 takeown.exe 4856 icacls.exe 3052 takeown.exe 8 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 8 icacls.exe 4696 takeown.exe 4856 icacls.exe 3052 takeown.exe -
Drops file in System32 directory 5 IoCs
Processes:
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\midimap.dll 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe File created C:\Windows\SysWOW64\sxload.tmp 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe File opened for modification C:\Windows\SysWOW64\1237B02.tmp 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe File opened for modification C:\Windows\SysWOW64\12382D3.tmp 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe -
Drops file in Program Files directory 1 IoCs
Processes:
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxmsg.tmp 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4504 taskkill.exe 872 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exepid process 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exetakeown.exetakeown.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe Token: SeTakeOwnershipPrivilege 4696 takeown.exe Token: SeTakeOwnershipPrivilege 3052 takeown.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 4504 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exepid process 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.execmd.execmd.exedescription pid process target process PID 2820 wrote to memory of 4632 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 2820 wrote to memory of 4632 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 2820 wrote to memory of 4632 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 4632 wrote to memory of 4696 4632 cmd.exe takeown.exe PID 4632 wrote to memory of 4696 4632 cmd.exe takeown.exe PID 4632 wrote to memory of 4696 4632 cmd.exe takeown.exe PID 4632 wrote to memory of 4856 4632 cmd.exe icacls.exe PID 4632 wrote to memory of 4856 4632 cmd.exe icacls.exe PID 4632 wrote to memory of 4856 4632 cmd.exe icacls.exe PID 2820 wrote to memory of 4128 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 2820 wrote to memory of 4128 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 2820 wrote to memory of 4128 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 4128 wrote to memory of 3052 4128 cmd.exe takeown.exe PID 4128 wrote to memory of 3052 4128 cmd.exe takeown.exe PID 4128 wrote to memory of 3052 4128 cmd.exe takeown.exe PID 4128 wrote to memory of 8 4128 cmd.exe icacls.exe PID 4128 wrote to memory of 8 4128 cmd.exe icacls.exe PID 4128 wrote to memory of 8 4128 cmd.exe icacls.exe PID 2820 wrote to memory of 872 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe taskkill.exe PID 2820 wrote to memory of 872 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe taskkill.exe PID 2820 wrote to memory of 872 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe taskkill.exe PID 2820 wrote to memory of 4504 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe taskkill.exe PID 2820 wrote to memory of 4504 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe taskkill.exe PID 2820 wrote to memory of 4504 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe taskkill.exe PID 2820 wrote to memory of 4716 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 2820 wrote to memory of 4716 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe PID 2820 wrote to memory of 4716 2820 4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe"C:\Users\Admin\AppData\Local\Temp\4d10706f71e8f26496452c5009573986d0e7f0d56f86ba9f218fb91233120d7a.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rasadhlp.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4856 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\midimap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\midimap.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MSango.bin"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MSango.bin"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵PID:4716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5375f11386030bf440c1058b8c43b8efe
SHA1a417c674134155403da4240e487060739a0487a6
SHA256a878487c1e39d76495de1bbdced349fe0e47373628a8969a36210f8f0adf62f8
SHA512623c13cfe74c58e2435063c7bd171a31548a8b49d84789147e87e31198449e804d717f84b69669377d69d67237d44336dc7877e96ef2f08c13c053b8f7809ac7
-
memory/8-137-0x0000000000000000-mapping.dmp
-
memory/872-138-0x0000000000000000-mapping.dmp
-
memory/3052-136-0x0000000000000000-mapping.dmp
-
memory/4128-135-0x0000000000000000-mapping.dmp
-
memory/4504-139-0x0000000000000000-mapping.dmp
-
memory/4632-132-0x0000000000000000-mapping.dmp
-
memory/4696-133-0x0000000000000000-mapping.dmp
-
memory/4716-140-0x0000000000000000-mapping.dmp
-
memory/4856-134-0x0000000000000000-mapping.dmp