Analysis
-
max time kernel
24s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 10:44
Static task
static1
Behavioral task
behavioral1
Sample
14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe
Resource
win7-20220812-en
General
-
Target
14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe
-
Size
108KB
-
MD5
c515ac89abcc0c7a8b538bc6e85c0387
-
SHA1
5ff15522ec5f4ff00ddfc4da811dbede8a6bdb5e
-
SHA256
14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b
-
SHA512
7316b4b64102ff3539ea93a9afc7a6c10e9119a151c4064c4cae939dc6ba6dcde6ec9321ff8efefe21bc160c7d26c74ee6a6a55733c237266e28f1d535c81935
-
SSDEEP
1536:o+GXz96Wg+1yMHInTAo/visDXWBiNLk6l2xyQFtVltJQCHCPjZZf7JpU7:onbJanTAo3iOmBiN46syQFtACibVG
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1328 takeown.exe 1324 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 956 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 956 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1328 takeown.exe 1324 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exepid process 956 regsvr32.exe 956 regsvr32.exe 956 regsvr32.exe 956 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 956 regsvr32.exe Token: SeTakeOwnershipPrivilege 1328 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exeregsvr32.exedescription pid process target process PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 916 wrote to memory of 956 916 14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe regsvr32.exe PID 956 wrote to memory of 1328 956 regsvr32.exe takeown.exe PID 956 wrote to memory of 1328 956 regsvr32.exe takeown.exe PID 956 wrote to memory of 1328 956 regsvr32.exe takeown.exe PID 956 wrote to memory of 1328 956 regsvr32.exe takeown.exe PID 956 wrote to memory of 1324 956 regsvr32.exe icacls.exe PID 956 wrote to memory of 1324 956 regsvr32.exe icacls.exe PID 956 wrote to memory of 1324 956 regsvr32.exe icacls.exe PID 956 wrote to memory of 1324 956 regsvr32.exe icacls.exe PID 956 wrote to memory of 608 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 608 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 684 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 684 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 752 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 752 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 816 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 816 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 844 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 844 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 892 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 892 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 296 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 296 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 1088 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 1088 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 1820 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 1820 956 regsvr32.exe svchost.exe PID 956 wrote to memory of 2028 956 regsvr32.exe cmd.exe PID 956 wrote to memory of 2028 956 regsvr32.exe cmd.exe PID 956 wrote to memory of 2028 956 regsvr32.exe cmd.exe PID 956 wrote to memory of 2028 956 regsvr32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe"C:\Users\Admin\AppData\Local\Temp\14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\6c3fa0~.tmp ,C:\Users\Admin\AppData\Local\Temp\14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6c3fa0~.tmpFilesize
1020KB
MD51e2d7d66b7fd7c5f2e6f6c78cbc5679c
SHA1d18322ed697eb0b939a86660cd357a710197bbeb
SHA2566afc353492a3824993a40b0a7f0de2609e7acdeb908e6841f06082cd2774ca98
SHA512654d9e25913e0079f399aacffcf7d594d12060dd8397bd95017c7866c1e8b144c774945defd1e472e584b7a03de2ab8d104bd2f7c03fa67e910565043f6d94ae
-
\Users\Admin\AppData\Local\Temp\6c3fa0~.tmpFilesize
1020KB
MD51e2d7d66b7fd7c5f2e6f6c78cbc5679c
SHA1d18322ed697eb0b939a86660cd357a710197bbeb
SHA2566afc353492a3824993a40b0a7f0de2609e7acdeb908e6841f06082cd2774ca98
SHA512654d9e25913e0079f399aacffcf7d594d12060dd8397bd95017c7866c1e8b144c774945defd1e472e584b7a03de2ab8d104bd2f7c03fa67e910565043f6d94ae
-
memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/956-55-0x0000000000000000-mapping.dmp
-
memory/1324-60-0x0000000000000000-mapping.dmp
-
memory/1328-59-0x0000000000000000-mapping.dmp
-
memory/2028-70-0x0000000000000000-mapping.dmp