4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35

General

Target

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
Size

31KB
MD5

0cd7d4b890893d0b1b43f9372c9679d0
SHA1

98ef16fc4599f6866797041f8b72fdd700321942
SHA256

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35
SHA512

eb2ef8dcba3a6902acd789484545f9bd479c211b6b3fcf94fd0e7c910d34b112197ebdd6069295e2420a99389371891d2f8335ef8692f5fec4ca55534b3c1608
SSDEEP

768:0gce/Rjlf92wjfGrHci9R3T4q7SH/Ep/OFvTUhHRp3hYypy1:wOXf9T6Dh/3WhWDU1

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3016 takeown.exe
4524 icacls.exe
4564 takeown.exe
4852 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3016 takeown.exe
4524 icacls.exe
4564 takeown.exe
4852 icacls.exe

pid	process
3016	takeown.exe
4524	icacls.exe
4564	takeown.exe
4852	icacls.exe

pid	process
3016	takeown.exe
4524	icacls.exe
4564	takeown.exe
4852	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123C904.tmp	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
File created	C:\Windows\SysWOW64\sxload.tmp	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
File opened for modification	C:\Windows\SysWOW64\123BFDB.tmp	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe

Drops file in Program Files directory 1 IoCs

Processes:

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxwd.tmp 4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4808 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxwd.tmp	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe

pid	process
4808	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeTakeOwnershipPrivilege	4564	takeown.exe
Token: SeDebugPrivilege	4808	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe

pid	process
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.execmd.execmd.exe

description	pid	process	target process
PID 4716 wrote to memory of 2088	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4716 wrote to memory of 2088	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4716 wrote to memory of 2088	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	takeown.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	takeown.exe
PID 2088 wrote to memory of 3016	2088	cmd.exe	takeown.exe
PID 2088 wrote to memory of 4524	2088	cmd.exe	icacls.exe
PID 2088 wrote to memory of 4524	2088	cmd.exe	icacls.exe
PID 2088 wrote to memory of 4524	2088	cmd.exe	icacls.exe
PID 4716 wrote to memory of 4180	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4716 wrote to memory of 4180	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4716 wrote to memory of 4180	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4180 wrote to memory of 4564	4180	cmd.exe	takeown.exe
PID 4180 wrote to memory of 4564	4180	cmd.exe	takeown.exe
PID 4180 wrote to memory of 4564	4180	cmd.exe	takeown.exe
PID 4180 wrote to memory of 4852	4180	cmd.exe	icacls.exe
PID 4180 wrote to memory of 4852	4180	cmd.exe	icacls.exe
PID 4180 wrote to memory of 4852	4180	cmd.exe	icacls.exe
PID 4716 wrote to memory of 4808	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	taskkill.exe
PID 4716 wrote to memory of 4808	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	taskkill.exe
PID 4716 wrote to memory of 4808	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	taskkill.exe
PID 4716 wrote to memory of 4252	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4716 wrote to memory of 4252	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe
PID 4716 wrote to memory of 4252	4716	4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe
"C:\Users\Admin\AppData\Local\Temp\4005d53dddf693ac3c7479de87b44590bcac6bacef09736dcdc0a68c318dcb35.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rasadhlp.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\midimap.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4852

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "asktao.mod"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
5e287848926f2e1beb153ec6cf88a686

SHA1
e90163c5474c5156388aa3fd7a4f49abbc7e9955

SHA256
429da30ca828e355bfa87e22d34a76eb1cb7b275d251b577953dfd31abb00064

SHA512
a88d21611149992650426b0ba3aa1f86f6f113b0f691ac7f979f85548f479a37fbd54575f2a1ca77c24c2aafee9688f9b924c2e488685970ec9fea4a1edf026c

Download Submit
memory/2088-133-0x0000000000000000-mapping.dmp

Download
memory/3016-134-0x0000000000000000-mapping.dmp

Download
memory/4180-136-0x0000000000000000-mapping.dmp

Download
memory/4252-140-0x0000000000000000-mapping.dmp

Download
memory/4524-135-0x0000000000000000-mapping.dmp

Download
memory/4564-137-0x0000000000000000-mapping.dmp

Download
memory/4808-139-0x0000000000000000-mapping.dmp

Download
memory/4852-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads