1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60

General

Target

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Size

30KB
MD5

7f832522934d3034af0fcd529b7e1595
SHA1

85d3e42a2e1ddca118d572e416c2e5f619ec69f7
SHA256

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60
SHA512

3e56c0f98d0c04a9aeed6977ae908d04c19c2b945cfe301b619ddeae93879a8d084a0a6cfcaa5565b51c3e33d9cd4e1b98b74bf2c4ebc93b7c702abf1b1178d0
SSDEEP

768:WKHHTyxuINi6TqHIZfC917xi3+Meo0Nbw4lUubXkD:WkVkDG0fCnNqluplUkX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

296 cmd.exe

pid	process
296	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1232723.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File created	C:\Windows\SysWOW64\sxload.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File created	C:\Windows\System32\1232454.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File opened for modification	C:\Windows\SysWOW64\1232454.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File created	C:\Windows\System32\1232723.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

Drops file in Program Files directory 1 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxlzg.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1708 taskkill.exe
684 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxlzg.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

pid	process
1708	taskkill.exe
684	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

pid	process
1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

description	pid	process	target process
PID 1160 wrote to memory of 1708	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 1708	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 1708	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 1708	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 684	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 684	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 684	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 684	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 1160 wrote to memory of 296	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 1160 wrote to memory of 296	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 1160 wrote to memory of 296	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 1160 wrote to memory of 296	1160	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
"C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "DragonNest.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "sdologin.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:296

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
b74f188b2d82efe793a3090383a132d3

SHA1
03a95e0afcfb9d857dbf9027eed31b3edb88c45e

SHA256
37ad1799c78e1153d76d2c9d3e256866649e4e5d33233982f99b72fd77e974ce

SHA512
af0f8230187d4727a6bb4a177888ea489613e05063befabc68740f5a39bc20fb8e4790317be489fcb7aa5695e5b182c85b88ba20abdb36e599af20b66a1f44fb

Download Submit
memory/296-58-0x0000000000000000-mapping.dmp

Download
memory/684-57-0x0000000000000000-mapping.dmp

Download
memory/1160-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1160-55-0x00000000744B1000-0x00000000744B3000-memory.dmp

Filesize
8KB

Download
memory/1708-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads