0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c

General

Target

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
Size

26KB
MD5

9792eb6458541aa819ffdfff1b9cb12c
SHA1

6b1d6ddd6e10d589956eaee390fbbac8efc525f9
SHA256

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c
SHA512

d2eaf1079a39119b078d02d5e9eb3b06977f86b3ad717c0ee7a7d1d89b9125bbfcca779042e7d5e0fffa72a0f6ecb0c709985f2870142333e47b96c59b1a2b01
SSDEEP

768:fbxCg6yf57Typ+tr8hx6h92tR9+pTEVbAKNHrzD:DxC/E57ztSxrlfBT

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

3456 icacls.exe
4740 takeown.exe
5048 icacls.exe
2116 takeown.exe
4788 icacls.exe
4352 takeown.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

4352 takeown.exe
3456 icacls.exe
4740 takeown.exe
5048 icacls.exe
2116 takeown.exe
4788 icacls.exe

pid	process
3456	icacls.exe
4740	takeown.exe
5048	icacls.exe
2116	takeown.exe
4788	icacls.exe
4352	takeown.exe

pid	process
4352	takeown.exe
3456	icacls.exe
4740	takeown.exe
5048	icacls.exe
2116	takeown.exe
4788	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\SysWOW64\123472E.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File created	C:\Windows\SysWOW64\sxload.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\SysWOW64\1237073.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
File opened for modification	C:\Windows\SysWOW64\1234141.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

Drops file in Program Files directory 1 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmy.tmp 0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3396 taskkill.exe
4304 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmy.tmp	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

pid	process
3396	taskkill.exe
4304	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

pid	process
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
Token: SeTakeOwnershipPrivilege	4352	takeown.exe
Token: SeDebugPrivilege	4304	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

pid	process
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4648 wrote to memory of 4628	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 4628	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 4628	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4628 wrote to memory of 5088	4628	cmd.exe	cmd.exe
PID 4628 wrote to memory of 5088	4628	cmd.exe	cmd.exe
PID 4628 wrote to memory of 5088	4628	cmd.exe	cmd.exe
PID 5088 wrote to memory of 4352	5088	cmd.exe	takeown.exe
PID 5088 wrote to memory of 4352	5088	cmd.exe	takeown.exe
PID 5088 wrote to memory of 4352	5088	cmd.exe	takeown.exe
PID 4628 wrote to memory of 3456	4628	cmd.exe	icacls.exe
PID 4628 wrote to memory of 3456	4628	cmd.exe	icacls.exe
PID 4628 wrote to memory of 3456	4628	cmd.exe	icacls.exe
PID 4648 wrote to memory of 4492	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 4492	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 4492	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4492 wrote to memory of 1392	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 1392	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 1392	4492	cmd.exe	cmd.exe
PID 1392 wrote to memory of 4740	1392	cmd.exe	takeown.exe
PID 1392 wrote to memory of 4740	1392	cmd.exe	takeown.exe
PID 1392 wrote to memory of 4740	1392	cmd.exe	takeown.exe
PID 4492 wrote to memory of 5048	4492	cmd.exe	icacls.exe
PID 4492 wrote to memory of 5048	4492	cmd.exe	icacls.exe
PID 4492 wrote to memory of 5048	4492	cmd.exe	icacls.exe
PID 4648 wrote to memory of 2140	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 2140	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 2140	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 2140 wrote to memory of 2924	2140	cmd.exe	cmd.exe
PID 2140 wrote to memory of 2924	2140	cmd.exe	cmd.exe
PID 2140 wrote to memory of 2924	2140	cmd.exe	cmd.exe
PID 2924 wrote to memory of 2116	2924	cmd.exe	takeown.exe
PID 2924 wrote to memory of 2116	2924	cmd.exe	takeown.exe
PID 2924 wrote to memory of 2116	2924	cmd.exe	takeown.exe
PID 2140 wrote to memory of 4788	2140	cmd.exe	icacls.exe
PID 2140 wrote to memory of 4788	2140	cmd.exe	icacls.exe
PID 2140 wrote to memory of 4788	2140	cmd.exe	icacls.exe
PID 4648 wrote to memory of 3396	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 4648 wrote to memory of 3396	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 4648 wrote to memory of 3396	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 4648 wrote to memory of 4304	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 4648 wrote to memory of 4304	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 4648 wrote to memory of 4304	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	taskkill.exe
PID 4648 wrote to memory of 660	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 660	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe
PID 4648 wrote to memory of 660	4648	0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe
"C:\Users\Admin\AppData\Local\Temp\0543867d7c672a1570012f0337d563f0c2072e1d775a931690949360fcafaa3c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2116

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4788

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
61a326a17787c283d57454192cb37236

SHA1
8691eb0658f3a230a1d5c045f725826f6fe42449

SHA256
75496d610408dbc20b61e2b8dd61321e036b95d9ea34b63e006ec864a25c68bf

SHA512
b33af6970cd97eecc01e12efcdb213bebb3f475ed9a67d5cfce0f0737587b9950dd1617e59d100a7692bb0b729bbaa3e75c6beabab865c8242710f21583eee94

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
memory/660-153-0x0000000000000000-mapping.dmp

Download
memory/1392-139-0x0000000000000000-mapping.dmp

Download
memory/2116-147-0x0000000000000000-mapping.dmp

Download
memory/2140-144-0x0000000000000000-mapping.dmp

Download
memory/2924-146-0x0000000000000000-mapping.dmp

Download
memory/3396-151-0x0000000000000000-mapping.dmp

Download
memory/3456-136-0x0000000000000000-mapping.dmp

Download
memory/4304-152-0x0000000000000000-mapping.dmp

Download
memory/4352-135-0x0000000000000000-mapping.dmp

Download
memory/4492-137-0x0000000000000000-mapping.dmp

Download
memory/4628-132-0x0000000000000000-mapping.dmp

Download
memory/4740-140-0x0000000000000000-mapping.dmp

Download
memory/4788-148-0x0000000000000000-mapping.dmp

Download
memory/5048-141-0x0000000000000000-mapping.dmp

Download
memory/5088-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads