be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f

General

Target

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
Size

102KB
MD5

b9c7ff14fb297f70fbda656a683b5dff
SHA1

27704707d62f0a724172af81b62a6f86e100864e
SHA256

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f
SHA512

33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb
SSDEEP

1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1484 takeown.exe
864 icacls.exe
Deletes itself 1 IoCs

Processes:

regsvr32.exe

pid process

804 regsvr32.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

804 regsvr32.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1484 takeown.exe
864 icacls.exe

pid	process
1484	takeown.exe
864	icacls.exe

pid	process
804	regsvr32.exe

pid	process
804	regsvr32.exe

pid	process
1484	takeown.exe
864	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\apa.dll	regsvr32.exe
File created	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe
File opened for modification	C:\Windows\SysWOW64\rpcss.dll	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

regsvr32.exe

pid process

804 regsvr32.exe
804 regsvr32.exe
804 regsvr32.exe
804 regsvr32.exe
804 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

regsvr32.exetakeown.exe

description pid process

Token: SeDebugPrivilege 804 regsvr32.exe
Token: SeTakeOwnershipPrivilege 1484 takeown.exe

pid	process
804	regsvr32.exe
804	regsvr32.exe
804	regsvr32.exe
804	regsvr32.exe
804	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	804	regsvr32.exe
Token: SeTakeOwnershipPrivilege	1484	takeown.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exeregsvr32.exe

description	pid	process	target process
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 1280 wrote to memory of 804	1280	be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe	regsvr32.exe
PID 804 wrote to memory of 1484	804	regsvr32.exe	takeown.exe
PID 804 wrote to memory of 1484	804	regsvr32.exe	takeown.exe
PID 804 wrote to memory of 1484	804	regsvr32.exe	takeown.exe
PID 804 wrote to memory of 1484	804	regsvr32.exe	takeown.exe
PID 804 wrote to memory of 864	804	regsvr32.exe	icacls.exe
PID 804 wrote to memory of 864	804	regsvr32.exe	icacls.exe
PID 804 wrote to memory of 864	804	regsvr32.exe	icacls.exe
PID 804 wrote to memory of 864	804	regsvr32.exe	icacls.exe
PID 804 wrote to memory of 596	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 596	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 672	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 672	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 756	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 756	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 820	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 820	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 856	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 856	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 892	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 892	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 336	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 336	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 1036	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 1036	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 1112	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 1112	804	regsvr32.exe	svchost.exe
PID 804 wrote to memory of 1056	804	regsvr32.exe	cmd.exe
PID 804 wrote to memory of 1056	804	regsvr32.exe	cmd.exe
PID 804 wrote to memory of 1056	804	regsvr32.exe	cmd.exe
PID 804 wrote to memory of 1056	804	regsvr32.exe	cmd.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
"C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\6be580~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rpcss.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
3⤵
PID:1056

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6be580~.tmp
Filesize
960KB

MD5
848b19a65ebd0063ac098e7bb37c0641

SHA1
e45f52e30f87d1506a6ea6b611ae244d0326686f

SHA256
4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

SHA512
88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

Download Submit
\Users\Admin\AppData\Local\Temp\6be580~.tmp
Filesize
960KB

MD5
848b19a65ebd0063ac098e7bb37c0641

SHA1
e45f52e30f87d1506a6ea6b611ae244d0326686f

SHA256
4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

SHA512
88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

Download Submit
memory/804-55-0x0000000000000000-mapping.dmp

Download
memory/864-60-0x0000000000000000-mapping.dmp

Download
memory/1056-70-0x0000000000000000-mapping.dmp

Download
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1484-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing