fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370

General

Target

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
Size

24KB
MD5

284dccd7574ce63fdbbb5d8b3204bb6b
SHA1

cb7fefae68a90edc9051a7392ffef185fa304932
SHA256

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370
SHA512

16ce6fdd285805b7c011dfcc4b119b4fbf000b6f80c22cb112558499105c19b9f95c04744f72255ada0a583263bb0e341b9224e152c019e2e5e95999904e6955
SSDEEP

384:olBy/jZ+wOu1hhoz5nAoQKnnd1adMTqPobFlYM2hakiKf6siRbXLaQDHOH0pU2hs:oa/tjKzauTwobFu/iKel6z

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1296 takeown.exe
1096 icacls.exe
1640 takeown.exe
4396 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1296 takeown.exe
1096 icacls.exe
1640 takeown.exe
4396 icacls.exe

pid	process
1296	takeown.exe
1096	icacls.exe
1640	takeown.exe
4396	icacls.exe

pid	process
1296	takeown.exe
1096	icacls.exe
1640	takeown.exe
4396	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
File opened for modification	C:\Windows\SysWOW64\123BDB9.tmp	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
File created	C:\Windows\SysWOW64\sxload.tmp	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
File opened for modification	C:\Windows\SysWOW64\123B58A.tmp	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe

Drops file in Program Files directory 1 IoCs

Processes:

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxyy.tmp fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

212 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxyy.tmp	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe

pid	process
212	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
Token: SeTakeOwnershipPrivilege	1296	takeown.exe
Token: SeTakeOwnershipPrivilege	1640	takeown.exe
Token: SeDebugPrivilege	212	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe

pid	process
4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.execmd.execmd.exe

description	pid	process	target process
PID 4880 wrote to memory of 4140	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4880 wrote to memory of 4140	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4880 wrote to memory of 4140	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4140 wrote to memory of 1296	4140	cmd.exe	takeown.exe
PID 4140 wrote to memory of 1296	4140	cmd.exe	takeown.exe
PID 4140 wrote to memory of 1296	4140	cmd.exe	takeown.exe
PID 4140 wrote to memory of 1096	4140	cmd.exe	icacls.exe
PID 4140 wrote to memory of 1096	4140	cmd.exe	icacls.exe
PID 4140 wrote to memory of 1096	4140	cmd.exe	icacls.exe
PID 4880 wrote to memory of 4756	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4880 wrote to memory of 4756	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4880 wrote to memory of 4756	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4756 wrote to memory of 1640	4756	cmd.exe	takeown.exe
PID 4756 wrote to memory of 1640	4756	cmd.exe	takeown.exe
PID 4756 wrote to memory of 1640	4756	cmd.exe	takeown.exe
PID 4756 wrote to memory of 4396	4756	cmd.exe	icacls.exe
PID 4756 wrote to memory of 4396	4756	cmd.exe	icacls.exe
PID 4756 wrote to memory of 4396	4756	cmd.exe	icacls.exe
PID 4880 wrote to memory of 212	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	taskkill.exe
PID 4880 wrote to memory of 212	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	taskkill.exe
PID 4880 wrote to memory of 212	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	taskkill.exe
PID 4880 wrote to memory of 1028	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4880 wrote to memory of 1028	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe
PID 4880 wrote to memory of 1028	4880	fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe
"C:\Users\Admin\AppData\Local\Temp\fd0c65078b927aad612efd58dfbaa09017677349997f66abf1d39e67e5ae3370.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4140

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rasadhlp.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1096

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\midimap.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "yy.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
f5392f065d83c6215708f4b59e16ef69

SHA1
e4e451ee35970240dbef1bc14418f63e31336aa0

SHA256
26e9d8f7227b9c7b5cfe88992be156ab2c27cc207b54cbfa28d3f4350890c57b

SHA512
d900d4a6dc062d434986b609b42b41305d123635666f3698aab259c6e820e481c9d8cf562bab66c90e3365ffa0afb8421bf5ae232ef6c24c0d799bef91bae43b

Download Submit
memory/212-138-0x0000000000000000-mapping.dmp

Download
memory/1028-139-0x0000000000000000-mapping.dmp

Download
memory/1096-134-0x0000000000000000-mapping.dmp

Download
memory/1296-133-0x0000000000000000-mapping.dmp

Download
memory/1640-136-0x0000000000000000-mapping.dmp

Download
memory/4140-132-0x0000000000000000-mapping.dmp

Download
memory/4396-137-0x0000000000000000-mapping.dmp

Download
memory/4756-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads