3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d

General

Target

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
Size

326KB
MD5

a59664f37c25edaa69c39a65490ed3a9
SHA1

01bb46541bc678fe9d97cea31cb61f3db861ba68
SHA256

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d
SHA512

76ba5fea9e63bf091ac2f2234447ad48c93b1b21594fd2c737d24073efc2871265c83622364764c886769d579c727784c045d3d4b2fc0a6e778dc30e64f1f393
SSDEEP

6144:Rj8KWXflIwycVYUcBrcisb765kohreOCSYA/U:+Kkfl3x0BrcdEkoWCc

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

2548 takeown.exe
2584 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2180 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

wmpnetwk.exe

pid process

2476 wmpnetwk.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

2548 takeown.exe
2584 icacls.exe

pid	process
2548	takeown.exe
2584	icacls.exe

pid	process
2180	cmd.exe

pid	process
2476	wmpnetwk.exe

pid	process
2548	takeown.exe
2584	icacls.exe

Drops file in Program Files directory 5 IoCs

Processes:

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe

description	ioc	process
File created	C:\Program Files\Windows Media Player\background.jpg	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\mpsvc.dll	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File created	C:\Program Files\Windows Media Player\wmixedwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
File opened for modification	C:\Program Files\Windows Media Player\wmixedwk.exe	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2296 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 2548 takeown.exe

pid	process
2296	PING.EXE

description	pid	process
Token: SeTakeOwnershipPrivilege	2548	takeown.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.execmd.execmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 2756	2972	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2972 wrote to memory of 2756	2972	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2972 wrote to memory of 2756	2972	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2756 wrote to memory of 2548	2756	cmd.exe	takeown.exe
PID 2756 wrote to memory of 2548	2756	cmd.exe	takeown.exe
PID 2756 wrote to memory of 2548	2756	cmd.exe	takeown.exe
PID 2756 wrote to memory of 2584	2756	cmd.exe	icacls.exe
PID 2756 wrote to memory of 2584	2756	cmd.exe	icacls.exe
PID 2756 wrote to memory of 2584	2756	cmd.exe	icacls.exe
PID 2972 wrote to memory of 2180	2972	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2972 wrote to memory of 2180	2972	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2972 wrote to memory of 2180	2972	3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe	cmd.exe
PID 2180 wrote to memory of 2296	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 2296	2180	cmd.exe	PING.EXE
PID 2180 wrote to memory of 2296	2180	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe
"C:\Users\Admin\AppData\Local\Temp\3b50fe74f6b83d53efab2ee7e197026977dac17fdd3302c7df454fac19abb12d.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe" && icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\takeown.exe
takeown /f "C:\Program Files\Windows Media Player\wmpnetwk.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\icacls.exe
icacls "C:\Program Files\Windows Media Player\wmpnetwk.exe" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2584

C:\Windows\system32\cmd.exe
cmd /c ""C:\kkxqbh.bat" "
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:2296

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
- Executes dropped EXE
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
23KB

MD5
90b85ffbdeead1be861d59134ea985b0

SHA1
55e9859aa7dba87678e7c529b571fdf6b7181339

SHA256
ed0dc979eed9ab9933c49204d362de575c7112a792633fda75bb5d1dab50a5c2

SHA512
8a1c10bbfe5651ab25bf36f4e8f2f65424c8e1004696c8141498b99ea2fbd7b3e5fae4d2cfee6835f7ff46bd2333602f4d8ac4a0f5b8e9757adb176332a3afce

Download Submit
C:\kkxqbh.bat
Filesize
135B

MD5
213c3f1aa1f2ee05f1c6618d192fffc5

SHA1
a517128a03b995935ff9cce15916ba84250f28b0

SHA256
8d68538bab28f4e7bd4af85a501e13fb228aae17ab8d5c17abceefa94948b607

SHA512
efabf818a1a1efdf4c448dd8fc98f2956866d80d5cc3b05e00561a767628d3cf3d7912782218acc234ec1e752dc3be0150ba87f00039fdd9f4eaa7922ddd01fe

Download Submit
memory/2972-0-0x000000013F16A000-0x000000013F16B000-memory.dmp

Filesize
4KB

Download
memory/2972-3-0x0000000002220000-0x000000000224C000-memory.dmp

Filesize
176KB

Download
memory/2972-5-0x000000013F150000-0x000000013F1A6000-memory.dmp

Filesize
344KB

Download
memory/2972-27-0x0000000002220000-0x000000000224C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing