14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b

General

Target

14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe
Size

108KB
MD5

c515ac89abcc0c7a8b538bc6e85c0387
SHA1

5ff15522ec5f4ff00ddfc4da811dbede8a6bdb5e
SHA256

14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b
SHA512

7316b4b64102ff3539ea93a9afc7a6c10e9119a151c4064c4cae939dc6ba6dcde6ec9321ff8efefe21bc160c7d26c74ee6a6a55733c237266e28f1d535c81935
SSDEEP

1536:o+GXz96Wg+1yMHInTAo/visDXWBiNLk6l2xyQFtVltJQCHCPjZZf7JpU7:onbJanTAo3iOmBiN46syQFtACibVG

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1328 takeown.exe
1324 icacls.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

956 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

956 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1328 takeown.exe
1324 icacls.exe

pid	process
1328	takeown.exe
1324	icacls.exe

pid	process
956	regsvr32.exe

pid	process
956	regsvr32.exe

pid	process
1328	takeown.exe
1324	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exe

pid process

956 regsvr32.exe
956 regsvr32.exe
956 regsvr32.exe
956 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvr32.exetakeown.exe

description pid process

Token: SeDebugPrivilege 956 regsvr32.exe
Token: SeTakeOwnershipPrivilege 1328 takeown.exe

pid	process
956	regsvr32.exe
956	regsvr32.exe
956	regsvr32.exe
956	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	956	regsvr32.exe
Token: SeTakeOwnershipPrivilege	1328	takeown.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exeregsvr32.exe

description	pid	process	target process
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 916 wrote to memory of 956	916	14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe	regsvr32.exe
PID 956 wrote to memory of 1328	956	regsvr32.exe	takeown.exe
PID 956 wrote to memory of 1328	956	regsvr32.exe	takeown.exe
PID 956 wrote to memory of 1328	956	regsvr32.exe	takeown.exe
PID 956 wrote to memory of 1328	956	regsvr32.exe	takeown.exe
PID 956 wrote to memory of 1324	956	regsvr32.exe	icacls.exe
PID 956 wrote to memory of 1324	956	regsvr32.exe	icacls.exe
PID 956 wrote to memory of 1324	956	regsvr32.exe	icacls.exe
PID 956 wrote to memory of 1324	956	regsvr32.exe	icacls.exe
PID 956 wrote to memory of 608	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 608	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 684	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 684	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 752	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 752	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 816	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 816	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 844	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 844	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 892	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 892	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 296	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 296	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 1088	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 1088	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 1820	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 1820	956	regsvr32.exe	svchost.exe
PID 956 wrote to memory of 2028	956	regsvr32.exe	cmd.exe
PID 956 wrote to memory of 2028	956	regsvr32.exe	cmd.exe
PID 956 wrote to memory of 2028	956	regsvr32.exe	cmd.exe
PID 956 wrote to memory of 2028	956	regsvr32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe
"C:\Users\Admin\AppData\Local\Temp\14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\6c3fa0~.tmp ,C:\Users\Admin\AppData\Local\Temp\14435ba7a2f0015db21b2736c3b7ad137835611ff8eaea29b105d036dadff88b.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
3⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6c3fa0~.tmp
Filesize
1020KB

MD5
1e2d7d66b7fd7c5f2e6f6c78cbc5679c

SHA1
d18322ed697eb0b939a86660cd357a710197bbeb

SHA256
6afc353492a3824993a40b0a7f0de2609e7acdeb908e6841f06082cd2774ca98

SHA512
654d9e25913e0079f399aacffcf7d594d12060dd8397bd95017c7866c1e8b144c774945defd1e472e584b7a03de2ab8d104bd2f7c03fa67e910565043f6d94ae

Download Submit
\Users\Admin\AppData\Local\Temp\6c3fa0~.tmp
Filesize
1020KB

MD5
1e2d7d66b7fd7c5f2e6f6c78cbc5679c

SHA1
d18322ed697eb0b939a86660cd357a710197bbeb

SHA256
6afc353492a3824993a40b0a7f0de2609e7acdeb908e6841f06082cd2774ca98

SHA512
654d9e25913e0079f399aacffcf7d594d12060dd8397bd95017c7866c1e8b144c774945defd1e472e584b7a03de2ab8d104bd2f7c03fa67e910565043f6d94ae

Download Submit
memory/916-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/956-55-0x0000000000000000-mapping.dmp

Download
memory/1324-60-0x0000000000000000-mapping.dmp

Download
memory/1328-59-0x0000000000000000-mapping.dmp

Download
memory/2028-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing