c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd

General

Target

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Size

27KB
MD5

0d3cdf4fc3630c14d0facb4ffdd087e4
SHA1

b71d4a9d78c5c4094e0de3ab1271d32fa1ca6008
SHA256

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd
SHA512

10de3fe172457367f607222905c62189000ca4d1677cb14393f581452fd35ed513b2df1c0f3e66321e889cdf7a2416fe6da1cd7d66e16c5a2e1d85dd697acbd6
SSDEEP

384:t+0/29+Uh4GgKKFk7JF5qLgnM4S73TGD0VGkWntTNHLyzPnkQanGY4RpWmLugMPZ:QexKHObTGvtTNUnkfz47mPZ

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

616 takeown.exe
4380 icacls.exe
736 takeown.exe
1232 icacls.exe
2744 takeown.exe
3540 icacls.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

4380 icacls.exe
736 takeown.exe
1232 icacls.exe
2744 takeown.exe
3540 icacls.exe
616 takeown.exe

pid	process
616	takeown.exe
4380	icacls.exe
736	takeown.exe
1232	icacls.exe
2744	takeown.exe
3540	icacls.exe

pid	process
4380	icacls.exe
736	takeown.exe
1232	icacls.exe
2744	takeown.exe
3540	icacls.exe
616	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123272.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\SysWOW64\1238D4E.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File opened for modification	C:\Windows\SysWOW64\1239454.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
File created	C:\Windows\SysWOW64\sxload.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

Drops file in Program Files directory 1 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxf7.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5052 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxf7.tmp	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

pid	process
5052	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

pid	process
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Token: SeTakeOwnershipPrivilege	2744	takeown.exe
Token: SeDebugPrivilege	5052	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

pid	process
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2284 wrote to memory of 4208	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 4208	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 4208	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 4208 wrote to memory of 3660	4208	cmd.exe	cmd.exe
PID 4208 wrote to memory of 3660	4208	cmd.exe	cmd.exe
PID 4208 wrote to memory of 3660	4208	cmd.exe	cmd.exe
PID 3660 wrote to memory of 2744	3660	cmd.exe	takeown.exe
PID 3660 wrote to memory of 2744	3660	cmd.exe	takeown.exe
PID 3660 wrote to memory of 2744	3660	cmd.exe	takeown.exe
PID 4208 wrote to memory of 3540	4208	cmd.exe	icacls.exe
PID 4208 wrote to memory of 3540	4208	cmd.exe	icacls.exe
PID 4208 wrote to memory of 3540	4208	cmd.exe	icacls.exe
PID 2284 wrote to memory of 3824	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 3824	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 3824	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 3824 wrote to memory of 1904	3824	cmd.exe	cmd.exe
PID 3824 wrote to memory of 1904	3824	cmd.exe	cmd.exe
PID 3824 wrote to memory of 1904	3824	cmd.exe	cmd.exe
PID 1904 wrote to memory of 616	1904	cmd.exe	takeown.exe
PID 1904 wrote to memory of 616	1904	cmd.exe	takeown.exe
PID 1904 wrote to memory of 616	1904	cmd.exe	takeown.exe
PID 3824 wrote to memory of 4380	3824	cmd.exe	icacls.exe
PID 3824 wrote to memory of 4380	3824	cmd.exe	icacls.exe
PID 3824 wrote to memory of 4380	3824	cmd.exe	icacls.exe
PID 2284 wrote to memory of 3156	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 3156	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 3156	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 3156 wrote to memory of 4912	3156	cmd.exe	cmd.exe
PID 3156 wrote to memory of 4912	3156	cmd.exe	cmd.exe
PID 3156 wrote to memory of 4912	3156	cmd.exe	cmd.exe
PID 4912 wrote to memory of 736	4912	cmd.exe	takeown.exe
PID 4912 wrote to memory of 736	4912	cmd.exe	takeown.exe
PID 4912 wrote to memory of 736	4912	cmd.exe	takeown.exe
PID 3156 wrote to memory of 1232	3156	cmd.exe	icacls.exe
PID 3156 wrote to memory of 1232	3156	cmd.exe	icacls.exe
PID 3156 wrote to memory of 1232	3156	cmd.exe	icacls.exe
PID 2284 wrote to memory of 5052	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 2284 wrote to memory of 5052	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 2284 wrote to memory of 5052	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	taskkill.exe
PID 2284 wrote to memory of 3236	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 3236	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe
PID 2284 wrote to memory of 3236	2284	c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
"C:\Users\Admin\AppData\Local\Temp\c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:736

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
27671de916ba9e256c846654cd26357d

SHA1
a6df5f9271d13bf3c4968163f1435822e8a053f6

SHA256
2e4f0b8c4b4b67b51f7b3d6bc5d4aeba5b6f7e1066c1aa079a55b77397ba5352

SHA512
b2ed5a225555f621f14c861c9c6c23afd92e77fedf5b7d8ac976d4269bc5e71e6829bf869790c3c39f733869fcb504a3bbeec63b61428412116ee8ca96d24192

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
f6d9b897d17f7d7f3437e375aec0479c

SHA1
0fa5161d13e665968fe16a41721d85aa625a55bf

SHA256
b86007da2336816e6ac622e9a8c075b309d0db99d7424dbe88c7a82cfc159a4c

SHA512
7dbaac6ee57088afe22ad4c31bcb6b34119b26eb7cbccb096ee0b6dcaa7e1e84c50841f8b46f389672e7b6c2ab3d6064453aec9d205afdbd23589976b888ca39

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
867c48a347666c56321d58f619355897

SHA1
7ddb891077ab743a8c921650b804042982793aaf

SHA256
29f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95

SHA512
6f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
f6d9b897d17f7d7f3437e375aec0479c

SHA1
0fa5161d13e665968fe16a41721d85aa625a55bf

SHA256
b86007da2336816e6ac622e9a8c075b309d0db99d7424dbe88c7a82cfc159a4c

SHA512
7dbaac6ee57088afe22ad4c31bcb6b34119b26eb7cbccb096ee0b6dcaa7e1e84c50841f8b46f389672e7b6c2ab3d6064453aec9d205afdbd23589976b888ca39

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
867c48a347666c56321d58f619355897

SHA1
7ddb891077ab743a8c921650b804042982793aaf

SHA256
29f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95

SHA512
6f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881

Download Submit
memory/616-140-0x0000000000000000-mapping.dmp

Download
memory/736-147-0x0000000000000000-mapping.dmp

Download
memory/1232-148-0x0000000000000000-mapping.dmp

Download
memory/1904-139-0x0000000000000000-mapping.dmp

Download
memory/2744-135-0x0000000000000000-mapping.dmp

Download
memory/3156-144-0x0000000000000000-mapping.dmp

Download
memory/3236-152-0x0000000000000000-mapping.dmp

Download
memory/3540-136-0x0000000000000000-mapping.dmp

Download
memory/3660-134-0x0000000000000000-mapping.dmp

Download
memory/3824-137-0x0000000000000000-mapping.dmp

Download
memory/4208-132-0x0000000000000000-mapping.dmp

Download
memory/4380-141-0x0000000000000000-mapping.dmp

Download
memory/4912-146-0x0000000000000000-mapping.dmp

Download
memory/5052-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads