Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 18:32
Static task
static1
Behavioral task
behavioral1
Sample
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
Resource
win7-20220812-en
General
-
Target
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
-
Size
102KB
-
MD5
b9c7ff14fb297f70fbda656a683b5dff
-
SHA1
27704707d62f0a724172af81b62a6f86e100864e
-
SHA256
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f
-
SHA512
33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb
-
SSDEEP
1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1484 takeown.exe 864 icacls.exe -
Deletes itself 1 IoCs
Processes:
regsvr32.exepid process 804 regsvr32.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 804 regsvr32.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1484 takeown.exe 864 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
regsvr32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\apa.dll regsvr32.exe File created C:\Windows\SysWOW64\rpcss.dll regsvr32.exe File opened for modification C:\Windows\SysWOW64\rpcss.dll regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
regsvr32.exepid process 804 regsvr32.exe 804 regsvr32.exe 804 regsvr32.exe 804 regsvr32.exe 804 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exetakeown.exedescription pid process Token: SeDebugPrivilege 804 regsvr32.exe Token: SeTakeOwnershipPrivilege 1484 takeown.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exeregsvr32.exedescription pid process target process PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 1280 wrote to memory of 804 1280 be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe regsvr32.exe PID 804 wrote to memory of 1484 804 regsvr32.exe takeown.exe PID 804 wrote to memory of 1484 804 regsvr32.exe takeown.exe PID 804 wrote to memory of 1484 804 regsvr32.exe takeown.exe PID 804 wrote to memory of 1484 804 regsvr32.exe takeown.exe PID 804 wrote to memory of 864 804 regsvr32.exe icacls.exe PID 804 wrote to memory of 864 804 regsvr32.exe icacls.exe PID 804 wrote to memory of 864 804 regsvr32.exe icacls.exe PID 804 wrote to memory of 864 804 regsvr32.exe icacls.exe PID 804 wrote to memory of 596 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 596 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 672 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 672 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 756 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 756 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 820 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 820 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 856 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 856 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 892 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 892 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 336 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 336 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 1036 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 1036 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 1112 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 1112 804 regsvr32.exe svchost.exe PID 804 wrote to memory of 1056 804 regsvr32.exe cmd.exe PID 804 wrote to memory of 1056 804 regsvr32.exe cmd.exe PID 804 wrote to memory of 1056 804 regsvr32.exe cmd.exe PID 804 wrote to memory of 1056 804 regsvr32.exe cmd.exe
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\6be580~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe2⤵
- Deletes itself
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rpcss.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rpcss.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c del %%SystemRoot%%\system32\rpcss.dll~*3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6be580~.tmpFilesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
\Users\Admin\AppData\Local\Temp\6be580~.tmpFilesize
960KB
MD5848b19a65ebd0063ac098e7bb37c0641
SHA1e45f52e30f87d1506a6ea6b611ae244d0326686f
SHA2564419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058
SHA51288671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f
-
memory/804-55-0x0000000000000000-mapping.dmp
-
memory/864-60-0x0000000000000000-mapping.dmp
-
memory/1056-70-0x0000000000000000-mapping.dmp
-
memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1484-59-0x0000000000000000-mapping.dmp