305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f

General

Target

305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe
Size

110KB
MD5

249b082c5c864e497bc8fe3e122f3fd0
SHA1

244b0104a4541e81d50e871cff7a9e0bc9996662
SHA256

305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f
SHA512

4491758cdd9acbaea2c7567c1b75b981f3c842441e36ab7cf0d92a80a01d68846ccef14e92f07c69affb2204f29bd2fa9fedb8cae04646a4aac9c2d7a0a56573
SSDEEP

1536:3zQMWNQtkYj5Yc19lJnS5dByNLcM2qihl9VlCAhHCtRKPq2:36ut+c1XJSHByN4kihl99hit

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

936 takeown.exe
1208 icacls.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

884 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

884 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

936 takeown.exe
1208 icacls.exe

pid	process
936	takeown.exe
1208	icacls.exe

pid	process
884	regsvr32.exe

pid	process
884	regsvr32.exe

pid	process
936	takeown.exe
1208	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exe

pid process

884 regsvr32.exe
884 regsvr32.exe
884 regsvr32.exe
884 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvr32.exetakeown.exe

description pid process

Token: SeDebugPrivilege 884 regsvr32.exe
Token: SeTakeOwnershipPrivilege 936 takeown.exe

pid	process
884	regsvr32.exe
884	regsvr32.exe
884	regsvr32.exe
884	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	884	regsvr32.exe
Token: SeTakeOwnershipPrivilege	936	takeown.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exeregsvr32.exe

description	pid	process	target process
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 2036 wrote to memory of 884	2036	305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe	regsvr32.exe
PID 884 wrote to memory of 936	884	regsvr32.exe	takeown.exe
PID 884 wrote to memory of 936	884	regsvr32.exe	takeown.exe
PID 884 wrote to memory of 936	884	regsvr32.exe	takeown.exe
PID 884 wrote to memory of 936	884	regsvr32.exe	takeown.exe
PID 884 wrote to memory of 1208	884	regsvr32.exe	icacls.exe
PID 884 wrote to memory of 1208	884	regsvr32.exe	icacls.exe
PID 884 wrote to memory of 1208	884	regsvr32.exe	icacls.exe
PID 884 wrote to memory of 1208	884	regsvr32.exe	icacls.exe
PID 884 wrote to memory of 576	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 576	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 652	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 652	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 740	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 740	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 792	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 792	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 832	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 832	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 864	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 864	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 240	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 240	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 1060	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 1060	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 1656	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 1656	884	regsvr32.exe	svchost.exe
PID 884 wrote to memory of 2024	884	regsvr32.exe	cmd.exe
PID 884 wrote to memory of 2024	884	regsvr32.exe	cmd.exe
PID 884 wrote to memory of 2024	884	regsvr32.exe	cmd.exe
PID 884 wrote to memory of 2024	884	regsvr32.exe	cmd.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe
"C:\Users\Admin\AppData\Local\Temp\305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~6bf3b2.tmp ,C:\Users\Admin\AppData\Local\Temp\305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
3⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~~6bf3b2.tmp
Filesize
1.0MB

MD5
01ed454808d06a81bc746c0aa4354560

SHA1
9881537d9a6d511325a589aa0497a56bd0ae5014

SHA256
240ad1bfeefb2eec41abf5d011c74cd076b5fc5a2ef7d36b8f75190c74567626

SHA512
711ed348bd54a9fb7f9e0407c6f3609de44ab3ad96c13574cffbe45f1865bd9f6de2cfda3d5fca9f21421c6e396bab5eb86eb939b8226cfe8fa6adb0d43400c3

Download Submit
\Users\Admin\AppData\Local\Temp\~~6bf3b2.tmp
Filesize
1.0MB

MD5
01ed454808d06a81bc746c0aa4354560

SHA1
9881537d9a6d511325a589aa0497a56bd0ae5014

SHA256
240ad1bfeefb2eec41abf5d011c74cd076b5fc5a2ef7d36b8f75190c74567626

SHA512
711ed348bd54a9fb7f9e0407c6f3609de44ab3ad96c13574cffbe45f1865bd9f6de2cfda3d5fca9f21421c6e396bab5eb86eb939b8226cfe8fa6adb0d43400c3

Download Submit
memory/884-55-0x0000000000000000-mapping.dmp

Download
memory/936-59-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/2024-70-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing