0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c

General

Target

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
Size

26KB
MD5

9792eb6458541aa819ffdfff1b9cb12c
SHA1

6b1d6ddd6e10d589956eaee390fbbac8efc525f9
SHA256

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c
SHA512

d2eaf1079a39119b078d02d5e9eb3b06977f86b3ad717c0ee7a7d1d89b9125bbfcca779042e7d5e0fffa72a0f6ecb0c709985f2870142333e47b96c59b1a2b01
SSDEEP

768:fbxCg6yf57Typ+tr8hx6h92tR9+pTEVbAKNHrzD:DxC/E57ztSxrlfBT

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

616 icacls.exe
1828 takeown.exe
676 icacls.exe
1456 takeown.exe
804 icacls.exe
1664 takeown.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1808 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1456 takeown.exe
804 icacls.exe
1664 takeown.exe
616 icacls.exe
1828 takeown.exe
676 icacls.exe

pid	process
616	icacls.exe
1828	takeown.exe
676	icacls.exe
1456	takeown.exe
804	icacls.exe
1664	takeown.exe

pid	process
1808	cmd.exe

pid	process
1456	takeown.exe
804	icacls.exe
1664	takeown.exe
616	icacls.exe
1828	takeown.exe
676	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\syswow64\123DD48.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\SysWOW64\1231597.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\syswow64\1231597.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\SysWOW64\1239B96.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\syswow64\1239B96.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\SysWOW64\123DD48.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File created	C:\Windows\SysWOW64\sxload.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

Drops file in Program Files directory 1 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmy.tmp 0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1524 taskkill.exe
1624 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

pid process

268 0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmy.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

pid	process
1524	taskkill.exe
1624	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
Token: SeTakeOwnershipPrivilege	1828	takeown.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

pid	process
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 268 wrote to memory of 876	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 876	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 876	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 876	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 876 wrote to memory of 1260	876	cmd.exe	cmd.exe
PID 876 wrote to memory of 1260	876	cmd.exe	cmd.exe
PID 876 wrote to memory of 1260	876	cmd.exe	cmd.exe
PID 876 wrote to memory of 1260	876	cmd.exe	cmd.exe
PID 1260 wrote to memory of 1828	1260	cmd.exe	takeown.exe
PID 1260 wrote to memory of 1828	1260	cmd.exe	takeown.exe
PID 1260 wrote to memory of 1828	1260	cmd.exe	takeown.exe
PID 1260 wrote to memory of 1828	1260	cmd.exe	takeown.exe
PID 876 wrote to memory of 676	876	cmd.exe	icacls.exe
PID 876 wrote to memory of 676	876	cmd.exe	icacls.exe
PID 876 wrote to memory of 676	876	cmd.exe	icacls.exe
PID 876 wrote to memory of 676	876	cmd.exe	icacls.exe
PID 268 wrote to memory of 528	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 528	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 528	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 528	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 528 wrote to memory of 668	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 668	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 668	528	cmd.exe	cmd.exe
PID 528 wrote to memory of 668	528	cmd.exe	cmd.exe
PID 668 wrote to memory of 1456	668	cmd.exe	takeown.exe
PID 668 wrote to memory of 1456	668	cmd.exe	takeown.exe
PID 668 wrote to memory of 1456	668	cmd.exe	takeown.exe
PID 668 wrote to memory of 1456	668	cmd.exe	takeown.exe
PID 528 wrote to memory of 804	528	cmd.exe	icacls.exe
PID 528 wrote to memory of 804	528	cmd.exe	icacls.exe
PID 528 wrote to memory of 804	528	cmd.exe	icacls.exe
PID 528 wrote to memory of 804	528	cmd.exe	icacls.exe
PID 268 wrote to memory of 1300	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 1300	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 1300	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 1300	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 1300 wrote to memory of 1672	1300	cmd.exe	cmd.exe
PID 1300 wrote to memory of 1672	1300	cmd.exe	cmd.exe
PID 1300 wrote to memory of 1672	1300	cmd.exe	cmd.exe
PID 1300 wrote to memory of 1672	1300	cmd.exe	cmd.exe
PID 1672 wrote to memory of 1664	1672	cmd.exe	takeown.exe
PID 1672 wrote to memory of 1664	1672	cmd.exe	takeown.exe
PID 1672 wrote to memory of 1664	1672	cmd.exe	takeown.exe
PID 1672 wrote to memory of 1664	1672	cmd.exe	takeown.exe
PID 1300 wrote to memory of 616	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 616	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 616	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 616	1300	cmd.exe	icacls.exe
PID 268 wrote to memory of 1524	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1524	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1524	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1524	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1624	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1624	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1624	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1624	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 268 wrote to memory of 1808	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 1808	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 1808	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 268 wrote to memory of 1808	268	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
"C:\Users\Admin\AppData\Local\Temp\0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1456

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1664

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1808

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
61a326a17787c283d57454192cb37236

SHA1
8691eb0658f3a230a1d5c045f725826f6fe42449

SHA256
75496d610408dbc20b61e2b8dd61321e036b95d9ea34b63e006ec864a25c68bf

SHA512
b33af6970cd97eecc01e12efcdb213bebb3f475ed9a67d5cfce0f0737587b9950dd1617e59d100a7692bb0b729bbaa3e75c6beabab865c8242710f21583eee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
101KB

MD5
0894ff9cb2f6ac6696b04351f5bfc422

SHA1
fa02fb7e2b343b7d467675a81afd088c877d641f

SHA256
f63abb152ab1ee993236a7b1b30b0b40be2aeab0edee9eb52fc465695190bb88

SHA512
493c7fa3cfb938c3b98704baad0be2519787cce465ee344fcd6450c5707b3d3bd0a834d35c33947b8a4dd95a2178b4dab0f5668abc8995dc4965532d5b8c33b7

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
f87a749e97c7a8c63406321aa604498f

SHA1
5da6a31742558d3f5e9ccde10304012230d2e0a7

SHA256
c54a7f4a32e9f6d19dbd80a7a52ea54f689956ee25e42bb6a168dc0ca3dd5946

SHA512
73fad4c4f9fb08a2a6ecc82695f18266600ad954ac50056c0db83c2dd3c5171c64e33bcced26ba06c9994c172d7c4c6fd979cd9d795e107f0bc28baa3becc97b

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
101KB

MD5
0894ff9cb2f6ac6696b04351f5bfc422

SHA1
fa02fb7e2b343b7d467675a81afd088c877d641f

SHA256
f63abb152ab1ee993236a7b1b30b0b40be2aeab0edee9eb52fc465695190bb88

SHA512
493c7fa3cfb938c3b98704baad0be2519787cce465ee344fcd6450c5707b3d3bd0a834d35c33947b8a4dd95a2178b4dab0f5668abc8995dc4965532d5b8c33b7

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
f87a749e97c7a8c63406321aa604498f

SHA1
5da6a31742558d3f5e9ccde10304012230d2e0a7

SHA256
c54a7f4a32e9f6d19dbd80a7a52ea54f689956ee25e42bb6a168dc0ca3dd5946

SHA512
73fad4c4f9fb08a2a6ecc82695f18266600ad954ac50056c0db83c2dd3c5171c64e33bcced26ba06c9994c172d7c4c6fd979cd9d795e107f0bc28baa3becc97b

Download Submit
memory/268-61-0x0000000074891000-0x0000000074893000-memory.dmp

Filesize
8KB

Download
memory/268-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/268-60-0x0000000074A41000-0x0000000074A43000-memory.dmp

Filesize
8KB

Download
memory/528-63-0x0000000000000000-mapping.dmp

Download
memory/616-77-0x0000000000000000-mapping.dmp

Download
memory/668-65-0x0000000000000000-mapping.dmp

Download
memory/676-59-0x0000000000000000-mapping.dmp

Download
memory/804-67-0x0000000000000000-mapping.dmp

Download
memory/876-55-0x0000000000000000-mapping.dmp

Download
memory/1260-57-0x0000000000000000-mapping.dmp

Download
memory/1300-73-0x0000000000000000-mapping.dmp

Download
memory/1456-66-0x0000000000000000-mapping.dmp

Download
memory/1524-81-0x0000000000000000-mapping.dmp

Download
memory/1624-82-0x0000000000000000-mapping.dmp

Download
memory/1664-76-0x0000000000000000-mapping.dmp

Download
memory/1672-75-0x0000000000000000-mapping.dmp

Download
memory/1808-83-0x0000000000000000-mapping.dmp

Download
memory/1828-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads