db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1

General

Target

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
Size

29KB
MD5

cc2aebc5335d2a8c630472699d23774d
SHA1

c64f88bc0ba7ebea5b7a632acbc4ee6217228500
SHA256

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1
SHA512

0a7d10a7aa938708b050be1156a03f29e9503df7267da3358665b3ac4495b1323f503efb4e192b9fc29771f412dcfe4a2ffc733003e5ed7db2e1b53b2398ed65
SSDEEP

768:fxCg6RCJr0Jqb7z1VF+UZNbCCKPpL2Hu2YiGLWrZ:fxC/R2r0EPvswGThPBWd

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4900 takeown.exe
3224 icacls.exe
1124 takeown.exe
2352 icacls.exe
1544 takeown.exe
928 icacls.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1544 takeown.exe
928 icacls.exe
4900 takeown.exe
3224 icacls.exe
1124 takeown.exe
2352 icacls.exe

pid	process
4900	takeown.exe
3224	icacls.exe
1124	takeown.exe
2352	icacls.exe
1544	takeown.exe
928	icacls.exe

pid	process
1544	takeown.exe
928	icacls.exe
4900	takeown.exe
3224	icacls.exe
1124	takeown.exe
2352	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1231638.tmp	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
File opened for modification	C:\Windows\SysWOW64\123C824.tmp	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
File opened for modification	C:\Windows\SysWOW64\123F129.tmp	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
File created	C:\Windows\SysWOW64\sxload.tmp	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

Drops file in Program Files directory 1 IoCs

Processes:

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmy.tmp db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2216 taskkill.exe
3144 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmy.tmp	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

pid	process
2216	taskkill.exe
3144	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

pid	process
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
Token: SeTakeOwnershipPrivilege	4900	takeown.exe
Token: SeDebugPrivilege	3144	taskkill.exe
Token: SeDebugPrivilege	2216	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

pid	process
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3452 wrote to memory of 4904	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 4904	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 4904	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 4904 wrote to memory of 220	4904	cmd.exe	cmd.exe
PID 4904 wrote to memory of 220	4904	cmd.exe	cmd.exe
PID 4904 wrote to memory of 220	4904	cmd.exe	cmd.exe
PID 220 wrote to memory of 4900	220	cmd.exe	takeown.exe
PID 220 wrote to memory of 4900	220	cmd.exe	takeown.exe
PID 220 wrote to memory of 4900	220	cmd.exe	takeown.exe
PID 4904 wrote to memory of 3224	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 3224	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 3224	4904	cmd.exe	icacls.exe
PID 3452 wrote to memory of 4044	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 4044	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 4044	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 4044 wrote to memory of 2952	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 2952	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 2952	4044	cmd.exe	cmd.exe
PID 2952 wrote to memory of 1124	2952	cmd.exe	takeown.exe
PID 2952 wrote to memory of 1124	2952	cmd.exe	takeown.exe
PID 2952 wrote to memory of 1124	2952	cmd.exe	takeown.exe
PID 4044 wrote to memory of 2352	4044	cmd.exe	icacls.exe
PID 4044 wrote to memory of 2352	4044	cmd.exe	icacls.exe
PID 4044 wrote to memory of 2352	4044	cmd.exe	icacls.exe
PID 3452 wrote to memory of 1392	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 1392	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 1392	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 1392 wrote to memory of 908	1392	cmd.exe	cmd.exe
PID 1392 wrote to memory of 908	1392	cmd.exe	cmd.exe
PID 1392 wrote to memory of 908	1392	cmd.exe	cmd.exe
PID 908 wrote to memory of 1544	908	cmd.exe	takeown.exe
PID 908 wrote to memory of 1544	908	cmd.exe	takeown.exe
PID 908 wrote to memory of 1544	908	cmd.exe	takeown.exe
PID 1392 wrote to memory of 928	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 928	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 928	1392	cmd.exe	icacls.exe
PID 3452 wrote to memory of 2216	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	taskkill.exe
PID 3452 wrote to memory of 2216	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	taskkill.exe
PID 3452 wrote to memory of 2216	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	taskkill.exe
PID 3452 wrote to memory of 3144	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	taskkill.exe
PID 3452 wrote to memory of 3144	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	taskkill.exe
PID 3452 wrote to memory of 3144	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	taskkill.exe
PID 3452 wrote to memory of 3612	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 3612	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe
PID 3452 wrote to memory of 3612	3452	db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe
"C:\Users\Admin\AppData\Local\Temp\db92c870de885aa77040fd6fa3069e8bd998da98b953a2d8ae732c3093617ff1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
e364ffa7f6009e39a9aa46a5e7fcb929

SHA1
5728e119131df728a72fb66f4492f6e5ee45e8db

SHA256
e433f7642d97f940fc69521c2c565e6937f2cb5e08c538acc132183a3167f7b2

SHA512
f122fa7bf3305a3b6c51c9d5c8b0749e4cc716f10fbf75f4ea87f897fc101baba298f144f6ef526c5f458f2d2320e07eaa3d45de30aaa8ebb64000b4c7e9e1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
memory/220-134-0x0000000000000000-mapping.dmp

Download
memory/908-146-0x0000000000000000-mapping.dmp

Download
memory/928-148-0x0000000000000000-mapping.dmp

Download
memory/1124-140-0x0000000000000000-mapping.dmp

Download
memory/1392-144-0x0000000000000000-mapping.dmp

Download
memory/1544-147-0x0000000000000000-mapping.dmp

Download
memory/2216-151-0x0000000000000000-mapping.dmp

Download
memory/2352-141-0x0000000000000000-mapping.dmp

Download
memory/2952-139-0x0000000000000000-mapping.dmp

Download
memory/3144-152-0x0000000000000000-mapping.dmp

Download
memory/3224-136-0x0000000000000000-mapping.dmp

Download
memory/3612-153-0x0000000000000000-mapping.dmp

Download
memory/4044-137-0x0000000000000000-mapping.dmp

Download
memory/4900-135-0x0000000000000000-mapping.dmp

Download
memory/4904-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads