Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 18:32

General

  • Target

    be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe

  • Size

    102KB

  • MD5

    b9c7ff14fb297f70fbda656a683b5dff

  • SHA1

    27704707d62f0a724172af81b62a6f86e100864e

  • SHA256

    be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f

  • SHA512

    33c81959b0c128c6752008dd6dcf4b519bbd5ec2a95ab4dd9c74c563d49019106af23159d9f4779eae58c37fc868419e093fa28d22ec76c774fb9bc555adc4cb

  • SSDEEP

    1536:9y/OQ+2BHdzvGlQ1n2GR7klU9ByNLOP2HmZXwVl0wHCJK9f:9qH+2LDzn2S7kIByNiYmZXwBiu

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    1⤵
      PID:1036
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
      1⤵
        PID:1112
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k NetworkService
        1⤵
          PID:336
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs
          1⤵
            PID:892
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalService
            1⤵
              PID:856
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
              1⤵
                PID:820
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                1⤵
                  PID:756
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  1⤵
                    PID:672
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k DcomLaunch
                    1⤵
                      PID:596
                    • C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
                      "C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe"
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1280
                      • C:\Windows\SysWOW64\regsvr32.exe
                        "C:\Windows\system32\regsvr32.exe" /s C:\Users\Admin\AppData\Local\Temp\6be580~.tmp ,C:\Users\Admin\AppData\Local\Temp\be205835208cc31957b8fe226f7bef7a9852d680512bac25538ea15769541f3f.exe
                        2⤵
                        • Deletes itself
                        • Loads dropped DLL
                        • Drops file in System32 directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:804
                        • C:\Windows\SysWOW64\takeown.exe
                          takeown /f "C:\Windows\system32\rpcss.dll"
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1484
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Windows\system32\rpcss.dll" /grant administrators:F
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          PID:864
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c del %%SystemRoot%%\system32\rpcss.dll~*
                          3⤵
                            PID:1056

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\6be580~.tmp

                        Filesize

                        960KB

                        MD5

                        848b19a65ebd0063ac098e7bb37c0641

                        SHA1

                        e45f52e30f87d1506a6ea6b611ae244d0326686f

                        SHA256

                        4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

                        SHA512

                        88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

                      • \Users\Admin\AppData\Local\Temp\6be580~.tmp

                        Filesize

                        960KB

                        MD5

                        848b19a65ebd0063ac098e7bb37c0641

                        SHA1

                        e45f52e30f87d1506a6ea6b611ae244d0326686f

                        SHA256

                        4419f8ef04e03fdf7c5f7c11b37435dced39f403a2d609c9b039091ddecce058

                        SHA512

                        88671786bb3519ee4f338c48d6fde6394109dc1c074f123e4e1eaca60c7ed2564d098115ba5e58f5903c8504b0642555afeb305c46e72b0c5fffcfee9f73587f

                      • memory/1280-54-0x0000000075811000-0x0000000075813000-memory.dmp

                        Filesize

                        8KB