c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd

General

Target

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Size

27KB
MD5

0d3cdf4fc3630c14d0facb4ffdd087e4
SHA1

b71d4a9d78c5c4094e0de3ab1271d32fa1ca6008
SHA256

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd
SHA512

10de3fe172457367f607222905c62189000ca4d1677cb14393f581452fd35ed513b2df1c0f3e66321e889cdf7a2416fe6da1cd7d66e16c5a2e1d85dd697acbd6
SSDEEP

384:t+0/29+Uh4GgKKFk7JF5qLgnM4S73TGD0VGkWntTNHLyzPnkQanGY4RpWmLugMPZ:QexKHObTGvtTNUnkfz47mPZ

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1264 icacls.exe
2024 takeown.exe
1376 icacls.exe
1820 takeown.exe
1940 icacls.exe
584 takeown.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1048 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2024 takeown.exe
1376 icacls.exe
1820 takeown.exe
1940 icacls.exe
584 takeown.exe
1264 icacls.exe

pid	process
1264	icacls.exe
2024	takeown.exe
1376	icacls.exe
1820	takeown.exe
1940	icacls.exe
584	takeown.exe

pid	process
1048	cmd.exe

pid	process
2024	takeown.exe
1376	icacls.exe
1820	takeown.exe
1940	icacls.exe
584	takeown.exe
1264	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

description	ioc	process
File opened for modification	C:\Windows\syswow64\123C1CC.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\sxload.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\SysWOW64\123B473.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\syswow64\123B473.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\SysWOW64\123C1CC.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\SysWOW64\123CDCE.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\syswow64\123CDCE.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

Drops file in Program Files directory 1 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxf7.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1784 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

pid process

1212 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxf7.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

pid	process
1784	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe
Token: SeDebugPrivilege	1784	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

pid	process
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 2004	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 2004	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 2004	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 2004	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2004 wrote to memory of 996	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 996	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 996	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 996	2004	cmd.exe	cmd.exe
PID 996 wrote to memory of 584	996	cmd.exe	takeown.exe
PID 996 wrote to memory of 584	996	cmd.exe	takeown.exe
PID 996 wrote to memory of 584	996	cmd.exe	takeown.exe
PID 996 wrote to memory of 584	996	cmd.exe	takeown.exe
PID 2004 wrote to memory of 1264	2004	cmd.exe	icacls.exe
PID 2004 wrote to memory of 1264	2004	cmd.exe	icacls.exe
PID 2004 wrote to memory of 1264	2004	cmd.exe	icacls.exe
PID 2004 wrote to memory of 1264	2004	cmd.exe	icacls.exe
PID 1212 wrote to memory of 1868	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1868	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1868	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1868	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cmd.exe
PID 1512 wrote to memory of 2024	1512	cmd.exe	takeown.exe
PID 1512 wrote to memory of 2024	1512	cmd.exe	takeown.exe
PID 1512 wrote to memory of 2024	1512	cmd.exe	takeown.exe
PID 1512 wrote to memory of 2024	1512	cmd.exe	takeown.exe
PID 1868 wrote to memory of 1376	1868	cmd.exe	icacls.exe
PID 1868 wrote to memory of 1376	1868	cmd.exe	icacls.exe
PID 1868 wrote to memory of 1376	1868	cmd.exe	icacls.exe
PID 1868 wrote to memory of 1376	1868	cmd.exe	icacls.exe
PID 1212 wrote to memory of 1020	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1020	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1020	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1020	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1020 wrote to memory of 1824	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1824	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1824	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 1824	1020	cmd.exe	cmd.exe
PID 1824 wrote to memory of 1820	1824	cmd.exe	takeown.exe
PID 1824 wrote to memory of 1820	1824	cmd.exe	takeown.exe
PID 1824 wrote to memory of 1820	1824	cmd.exe	takeown.exe
PID 1824 wrote to memory of 1820	1824	cmd.exe	takeown.exe
PID 1020 wrote to memory of 1940	1020	cmd.exe	icacls.exe
PID 1020 wrote to memory of 1940	1020	cmd.exe	icacls.exe
PID 1020 wrote to memory of 1940	1020	cmd.exe	icacls.exe
PID 1020 wrote to memory of 1940	1020	cmd.exe	icacls.exe
PID 1212 wrote to memory of 1784	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 1212 wrote to memory of 1784	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 1212 wrote to memory of 1784	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 1212 wrote to memory of 1784	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 1212 wrote to memory of 1048	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1048	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1048	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 1212 wrote to memory of 1048	1212	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
"C:\Users\Admin\AppData\Local\Temp\c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1264

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2024

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1048

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
27671de916ba9e256c846654cd26357d

SHA1
a6df5f9271d13bf3c4968163f1435822e8a053f6

SHA256
2e4f0b8c4b4b67b51f7b3d6bc5d4aeba5b6f7e1066c1aa079a55b77397ba5352

SHA512
b2ed5a225555f621f14c861c9c6c23afd92e77fedf5b7d8ac976d4269bc5e71e6829bf869790c3c39f733869fcb504a3bbeec63b61428412116ee8ca96d24192

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
101KB

MD5
f913b20dc0e5fa059512c86b18bfc079

SHA1
610f717ae3bc6fecfb04324a2c8dc01999156808

SHA256
6e040e9019e31789c1fd1e4431e82cc00a6b4daec29e298225373dee2a809d18

SHA512
0a85ce85b690f067351aab39aa567bb8853d8929142a1e93f4eeb7c6de74e32ff590598a2e3df174a500465dc029afb1956e76ace405b2c7d945763a8db94c8c

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
931ba9e14fcbe21b5c8277659aa0f60a

SHA1
e14165f4d0c64ff347e86d1bbc1d0142d58f50e2

SHA256
cab7ea6cb10da50db2d603fdc4fe5bea698ad9e032781ac4b9f9e73311c5775c

SHA512
ce973f13efa94808b031d4def0514efd9684ee035a2b628d9299ac01d6ff60e6624d0a7f5f5d46a8c63720de129d6202edc8fc7918926fb88f1dc915fc1bc275

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
101KB

MD5
f913b20dc0e5fa059512c86b18bfc079

SHA1
610f717ae3bc6fecfb04324a2c8dc01999156808

SHA256
6e040e9019e31789c1fd1e4431e82cc00a6b4daec29e298225373dee2a809d18

SHA512
0a85ce85b690f067351aab39aa567bb8853d8929142a1e93f4eeb7c6de74e32ff590598a2e3df174a500465dc029afb1956e76ace405b2c7d945763a8db94c8c

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
931ba9e14fcbe21b5c8277659aa0f60a

SHA1
e14165f4d0c64ff347e86d1bbc1d0142d58f50e2

SHA256
cab7ea6cb10da50db2d603fdc4fe5bea698ad9e032781ac4b9f9e73311c5775c

SHA512
ce973f13efa94808b031d4def0514efd9684ee035a2b628d9299ac01d6ff60e6624d0a7f5f5d46a8c63720de129d6202edc8fc7918926fb88f1dc915fc1bc275

Download Submit
memory/584-58-0x0000000000000000-mapping.dmp

Download
memory/996-57-0x0000000000000000-mapping.dmp

Download
memory/1020-73-0x0000000000000000-mapping.dmp

Download
memory/1048-84-0x0000000000000000-mapping.dmp

Download
memory/1212-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1212-61-0x00000000742A1000-0x00000000742A3000-memory.dmp

Filesize
8KB

Download
memory/1212-60-0x0000000074451000-0x0000000074453000-memory.dmp

Filesize
8KB

Download
memory/1264-59-0x0000000000000000-mapping.dmp

Download
memory/1376-67-0x0000000000000000-mapping.dmp

Download
memory/1512-65-0x0000000000000000-mapping.dmp

Download
memory/1784-83-0x0000000000000000-mapping.dmp

Download
memory/1820-76-0x0000000000000000-mapping.dmp

Download
memory/1824-75-0x0000000000000000-mapping.dmp

Download
memory/1868-63-0x0000000000000000-mapping.dmp

Download
memory/1940-77-0x0000000000000000-mapping.dmp

Download
memory/2004-55-0x0000000000000000-mapping.dmp

Download
memory/2024-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads