Analysis
-
max time kernel
40s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 10:01
Static task
static1
Behavioral task
behavioral1
Sample
305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe
Resource
win7-20220812-en
General
-
Target
305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe
-
Size
110KB
-
MD5
249b082c5c864e497bc8fe3e122f3fd0
-
SHA1
244b0104a4541e81d50e871cff7a9e0bc9996662
-
SHA256
305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f
-
SHA512
4491758cdd9acbaea2c7567c1b75b981f3c842441e36ab7cf0d92a80a01d68846ccef14e92f07c69affb2204f29bd2fa9fedb8cae04646a4aac9c2d7a0a56573
-
SSDEEP
1536:3zQMWNQtkYj5Yc19lJnS5dByNLcM2qihl9VlCAhHCtRKPq2:36ut+c1XJSHByN4kihl99hit
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 936 takeown.exe 1208 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 884 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 884 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 936 takeown.exe 1208 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 884 regsvr32.exe 884 regsvr32.exe 884 regsvr32.exe 884 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 884 regsvr32.exe Token: SeTakeOwnershipPrivilege 936 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exeregsvr32.exedescription pid process target process PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 2036 wrote to memory of 884 2036 305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe regsvr32.exe PID 884 wrote to memory of 936 884 regsvr32.exe takeown.exe PID 884 wrote to memory of 936 884 regsvr32.exe takeown.exe PID 884 wrote to memory of 936 884 regsvr32.exe takeown.exe PID 884 wrote to memory of 936 884 regsvr32.exe takeown.exe PID 884 wrote to memory of 1208 884 regsvr32.exe icacls.exe PID 884 wrote to memory of 1208 884 regsvr32.exe icacls.exe PID 884 wrote to memory of 1208 884 regsvr32.exe icacls.exe PID 884 wrote to memory of 1208 884 regsvr32.exe icacls.exe PID 884 wrote to memory of 576 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 576 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 652 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 652 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 740 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 740 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 792 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 792 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 832 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 832 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 864 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 864 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 240 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 240 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 1060 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 1060 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 1656 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 1656 884 regsvr32.exe svchost.exe PID 884 wrote to memory of 2024 884 regsvr32.exe cmd.exe PID 884 wrote to memory of 2024 884 regsvr32.exe cmd.exe PID 884 wrote to memory of 2024 884 regsvr32.exe cmd.exe PID 884 wrote to memory of 2024 884 regsvr32.exe cmd.exe
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
-
C:\Users\Admin\AppData\Local\Temp\305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe"C:\Users\Admin\AppData\Local\Temp\305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\~~6bf3b2.tmp ,C:\Users\Admin\AppData\Local\Temp\305b2adb1f996316ce4493c724151d23ad1419b13ca0594c931bd64769f2004f.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~~6bf3b2.tmpFilesize
1.0MB
MD501ed454808d06a81bc746c0aa4354560
SHA19881537d9a6d511325a589aa0497a56bd0ae5014
SHA256240ad1bfeefb2eec41abf5d011c74cd076b5fc5a2ef7d36b8f75190c74567626
SHA512711ed348bd54a9fb7f9e0407c6f3609de44ab3ad96c13574cffbe45f1865bd9f6de2cfda3d5fca9f21421c6e396bab5eb86eb939b8226cfe8fa6adb0d43400c3
-
\Users\Admin\AppData\Local\Temp\~~6bf3b2.tmpFilesize
1.0MB
MD501ed454808d06a81bc746c0aa4354560
SHA19881537d9a6d511325a589aa0497a56bd0ae5014
SHA256240ad1bfeefb2eec41abf5d011c74cd076b5fc5a2ef7d36b8f75190c74567626
SHA512711ed348bd54a9fb7f9e0407c6f3609de44ab3ad96c13574cffbe45f1865bd9f6de2cfda3d5fca9f21421c6e396bab5eb86eb939b8226cfe8fa6adb0d43400c3
-
memory/884-55-0x0000000000000000-mapping.dmp
-
memory/936-59-0x0000000000000000-mapping.dmp
-
memory/1208-60-0x0000000000000000-mapping.dmp
-
memory/2024-70-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB