Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
Resource
win7-20220812-en
General
-
Target
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
-
Size
102KB
-
MD5
b9c7ff14fb297f70fbda656a683b5dff
-
SHA1
27704707d62f0a724172af81b62a6f86e100864e
-
SHA256
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f
-
SHA512
33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb
-
SSDEEP
1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
pid Process 1484 takeown.exe 864 icacls.exe -
Deletes itself 1 IoCs
pid Process 804 regsvr32.exe -
Loads dropped DLL 1 IoCs
pid Process 804 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 1484 takeown.exe 864 icacls.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 804 regsvr32.exe 804 regsvr32.exe 804 regsvr32.exe 804 regsvr32.exe 804 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 804 regsvr32.exe Token: SeTakeOwnershipPrivilege 1484 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe 28 PID 804 wrote to memory of 1484 804 regsvr32.exe 29 PID 804 wrote to memory of 1484 804 regsvr32.exe 29 PID 804 wrote to memory of 1484 804 regsvr32.exe 29 PID 804 wrote to memory of 1484 804 regsvr32.exe 29 PID 804 wrote to memory of 864 804 regsvr32.exe 31 PID 804 wrote to memory of 864 804 regsvr32.exe 31 PID 804 wrote to memory of 864 804 regsvr32.exe 31 PID 804 wrote to memory of 864 804 regsvr32.exe 31 PID 804 wrote to memory of 596 804 regsvr32.exe 26 PID 804 wrote to memory of 596 804 regsvr32.exe 26 PID 804 wrote to memory of 672 804 regsvr32.exe 25 PID 804 wrote to memory of 672 804 regsvr32.exe 25 PID 804 wrote to memory of 756 804 regsvr32.exe 24 PID 804 wrote to memory of 756 804 regsvr32.exe 24 PID 804 wrote to memory of 820 804 regsvr32.exe 23 PID 804 wrote to memory of 820 804 regsvr32.exe 23 PID 804 wrote to memory of 856 804 regsvr32.exe 22 PID 804 wrote to memory of 856 804 regsvr32.exe 22 PID 804 wrote to memory of 892 804 regsvr32.exe 21 PID 804 wrote to memory of 892 804 regsvr32.exe 21 PID 804 wrote to memory of 336 804 regsvr32.exe 20 PID 804 wrote to memory of 336 804 regsvr32.exe 20 PID 804 wrote to memory of 1036 804 regsvr32.exe 9 PID 804 wrote to memory of 1036 804 regsvr32.exe 9 PID 804 wrote to memory of 1112 804 regsvr32.exe 14 PID 804 wrote to memory of 1112 804 regsvr32.exe 14 PID 804 wrote to memory of 1056 804 regsvr32.exe 33 PID 804 wrote to memory of 1056 804 regsvr32.exe 33 PID 804 wrote to memory of 1056 804 regsvr32.exe 33 PID 804 wrote to memory of 1056 804 regsvr32.exe 33
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵PID:1112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵PID:856
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵PID:820
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:596
-
C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\6be580~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:864
-
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵PID:1056
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
Filesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f