1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60

General

Target

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Size

30KB
MD5

7f832522934d3034af0fcd529b7e1595
SHA1

85d3e42a2e1ddca118d572e416c2e5f619ec69f7
SHA256

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60
SHA512

3e56c0f98d0c04a9aeed6977ae908d04c19c2b945cfe301b619ddeae93879a8d084a0a6cfcaa5565b51c3e33d9cd4e1b98b74bf2c4ebc93b7c702abf1b1178d0
SSDEEP

768:WKHHTyxuINi6TqHIZfC917xi3+Meo0Nbw4lUubXkD:WkVkDG0fCnNqluplUkX

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4224 icacls.exe
1948 takeown.exe
1500 icacls.exe
1316 takeown.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1316 takeown.exe
4224 icacls.exe
1948 takeown.exe
1500 icacls.exe

pid	process
4224	icacls.exe
1948	takeown.exe
1500	icacls.exe
1316	takeown.exe

pid	process
1316	takeown.exe
4224	icacls.exe
1948	takeown.exe
1500	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sxload.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File opened for modification	C:\Windows\SysWOW64\1237D06.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File opened for modification	C:\Windows\SysWOW64\12386AB.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

Drops file in Program Files directory 1 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxlzg.tmp 1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1476 taskkill.exe
2040 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxlzg.tmp	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

pid	process
1476	taskkill.exe
2040	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exetakeown.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
Token: SeTakeOwnershipPrivilege	1948	takeown.exe
Token: SeTakeOwnershipPrivilege	1316	takeown.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

pid	process
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.execmd.execmd.exe

description	pid	process	target process
PID 4660 wrote to memory of 2828	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 4660 wrote to memory of 2828	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 4660 wrote to memory of 2828	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 2828 wrote to memory of 1948	2828	cmd.exe	takeown.exe
PID 2828 wrote to memory of 1948	2828	cmd.exe	takeown.exe
PID 2828 wrote to memory of 1948	2828	cmd.exe	takeown.exe
PID 2828 wrote to memory of 1500	2828	cmd.exe	icacls.exe
PID 2828 wrote to memory of 1500	2828	cmd.exe	icacls.exe
PID 2828 wrote to memory of 1500	2828	cmd.exe	icacls.exe
PID 4660 wrote to memory of 1800	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 4660 wrote to memory of 1800	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 4660 wrote to memory of 1800	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 1800 wrote to memory of 1316	1800	cmd.exe	takeown.exe
PID 1800 wrote to memory of 1316	1800	cmd.exe	takeown.exe
PID 1800 wrote to memory of 1316	1800	cmd.exe	takeown.exe
PID 1800 wrote to memory of 4224	1800	cmd.exe	icacls.exe
PID 1800 wrote to memory of 4224	1800	cmd.exe	icacls.exe
PID 1800 wrote to memory of 4224	1800	cmd.exe	icacls.exe
PID 4660 wrote to memory of 1476	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 4660 wrote to memory of 1476	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 4660 wrote to memory of 1476	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 4660 wrote to memory of 2040	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 4660 wrote to memory of 2040	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 4660 wrote to memory of 2040	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	taskkill.exe
PID 4660 wrote to memory of 2068	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 4660 wrote to memory of 2068	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe
PID 4660 wrote to memory of 2068	4660	1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe
"C:\Users\Admin\AppData\Local\Temp\1bc01a9de6f3bfd74db2174255224c5bd6903fb9722afd0e9cc492e50ff73f60.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rasadhlp.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\midimap.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "DragonNest.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "sdologin.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
b74f188b2d82efe793a3090383a132d3

SHA1
03a95e0afcfb9d857dbf9027eed31b3edb88c45e

SHA256
37ad1799c78e1153d76d2c9d3e256866649e4e5d33233982f99b72fd77e974ce

SHA512
af0f8230187d4727a6bb4a177888ea489613e05063befabc68740f5a39bc20fb8e4790317be489fcb7aa5695e5b182c85b88ba20abdb36e599af20b66a1f44fb

Download Submit
memory/1316-136-0x0000000000000000-mapping.dmp

Download
memory/1476-138-0x0000000000000000-mapping.dmp

Download
memory/1500-134-0x0000000000000000-mapping.dmp

Download
memory/1800-135-0x0000000000000000-mapping.dmp

Download
memory/1948-133-0x0000000000000000-mapping.dmp

Download
memory/2040-139-0x0000000000000000-mapping.dmp

Download
memory/2068-140-0x0000000000000000-mapping.dmp

Download
memory/2828-132-0x0000000000000000-mapping.dmp

Download
memory/4224-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads