651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9

General

Target

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
Size

29KB
MD5

fbf1d90a7ff72d276b094ca59108c7c0
SHA1

6695a10151b261fd9386638eda967a0b12099d83
SHA256

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9
SHA512

f688ff5fd62eed3eddd7d186dd76b8d031671a4936f44f342dfb46ac8560b6c2a0dbbe207db888ba5f5e256cd9725fecb1473242327ffe054f3de30a0a7c2e7d
SSDEEP

768:wvO0qWTN1Zxe3Xbx+yUBdbWzJjDmL/fqbGBnYbX4e40YLf:ktN18QT9mJjC/fqbGdYbX4L0Y

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1240 takeown.exe
680 icacls.exe
1692 takeown.exe
1448 icacls.exe
1676 takeown.exe
1404 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1784 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1692 takeown.exe
1448 icacls.exe
1676 takeown.exe
1404 icacls.exe
1240 takeown.exe
680 icacls.exe

pid	process
1240	takeown.exe
680	icacls.exe
1692	takeown.exe
1448	icacls.exe
1676	takeown.exe
1404	icacls.exe

pid	process
1784	cmd.exe

pid	process
1692	takeown.exe
1448	icacls.exe
1676	takeown.exe
1404	icacls.exe
1240	takeown.exe
680	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123FEAB.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\SysWOW64\123428F.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\syswow64\123428F.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\sxload.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\syswow64\123FEAB.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\SysWOW64\1234EA1.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\syswow64\1234EA1.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

Drops file in Program Files directory 1 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxlzg.tmp 651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

824 taskkill.exe
1688 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

pid process

2036 651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxlzg.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

pid	process
824	taskkill.exe
1688	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exetakeown.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	1692	takeown.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

pid	process
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1740	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1740	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1740	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1740	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 1740 wrote to memory of 1852	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 1852	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 1852	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 1852	1740	cmd.exe	cmd.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	takeown.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	takeown.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	takeown.exe
PID 1852 wrote to memory of 1240	1852	cmd.exe	takeown.exe
PID 1740 wrote to memory of 680	1740	cmd.exe	icacls.exe
PID 1740 wrote to memory of 680	1740	cmd.exe	icacls.exe
PID 1740 wrote to memory of 680	1740	cmd.exe	icacls.exe
PID 1740 wrote to memory of 680	1740	cmd.exe	icacls.exe
PID 2036 wrote to memory of 1200	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1200	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1200	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1200	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 1200 wrote to memory of 520	1200	cmd.exe	cmd.exe
PID 1200 wrote to memory of 520	1200	cmd.exe	cmd.exe
PID 1200 wrote to memory of 520	1200	cmd.exe	cmd.exe
PID 1200 wrote to memory of 520	1200	cmd.exe	cmd.exe
PID 520 wrote to memory of 1692	520	cmd.exe	takeown.exe
PID 520 wrote to memory of 1692	520	cmd.exe	takeown.exe
PID 520 wrote to memory of 1692	520	cmd.exe	takeown.exe
PID 520 wrote to memory of 1692	520	cmd.exe	takeown.exe
PID 1200 wrote to memory of 1448	1200	cmd.exe	icacls.exe
PID 1200 wrote to memory of 1448	1200	cmd.exe	icacls.exe
PID 1200 wrote to memory of 1448	1200	cmd.exe	icacls.exe
PID 1200 wrote to memory of 1448	1200	cmd.exe	icacls.exe
PID 2036 wrote to memory of 1624	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1624	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1624	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1624	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 1624 wrote to memory of 1368	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1368	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1368	1624	cmd.exe	cmd.exe
PID 1624 wrote to memory of 1368	1624	cmd.exe	cmd.exe
PID 1368 wrote to memory of 1676	1368	cmd.exe	takeown.exe
PID 1368 wrote to memory of 1676	1368	cmd.exe	takeown.exe
PID 1368 wrote to memory of 1676	1368	cmd.exe	takeown.exe
PID 1368 wrote to memory of 1676	1368	cmd.exe	takeown.exe
PID 1624 wrote to memory of 1404	1624	cmd.exe	icacls.exe
PID 1624 wrote to memory of 1404	1624	cmd.exe	icacls.exe
PID 1624 wrote to memory of 1404	1624	cmd.exe	icacls.exe
PID 1624 wrote to memory of 1404	1624	cmd.exe	icacls.exe
PID 2036 wrote to memory of 824	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 824	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 824	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 824	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 1688	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 1688	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 1688	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 1688	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 2036 wrote to memory of 1784	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1784	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1784	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 2036 wrote to memory of 1784	2036	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
"C:\Users\Admin\AppData\Local\Temp\651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:680

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1448

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1676

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1404

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "DragonNest.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "sdologin.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1784

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
99ae74f356b9261715db5e2b0a0f6279

SHA1
770eacd6af34db2885e3b4cf76a86a10fbf3bd88

SHA256
74be0f623870c717555f6d455ba64a8596067b033a9d2385d88ed1472beedfe1

SHA512
09a37eb99cdf1a4ad0bf3b119cc0283251c803db8e65075b53edf46877fb80490724e29231c568e32f835334f624a2266cf69c51f977ee3b822b023cbdaebd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\123FEAB.tmp
Filesize
101KB

MD5
1c4ff19e9ab12f56c31b2e9cfd4fa035

SHA1
c075bc7e3674cd0a56bc29ea612c403562c370d4

SHA256
64b748d433fc03549cce0d069df2da23198124fa087948df7947d82b51d42791

SHA512
b9c9cbfbbe2e89c963531cad0351ed666482d99957e7cca20bd5af9320f89e5f83f0e89788d1f9a05418a65f305eba89fdc0294e24731394aa23a0cb383fc87d

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
101KB

MD5
a90dc9abd65db1a8902f361103029952

SHA1
63e1e92df2f25c024565c3343233844b92d69469

SHA256
26798758976ce53251ac342b966be0363ae1794bd965c452f5debc33e18969f0

SHA512
462e5870ad942403d09941bc1e43f3db9103faf93ac972d9ff8f5fc46161a0adb1203b539760c2f122840f7ce931f5d59506fe7d5b28ef872db629cbf5768ccd

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
356bcdd2693b21c9699cee79696ddbbd

SHA1
fbcd89dba31cab0a1e60f1a550163b7b1118825a

SHA256
038c4659168dbe965511c016fec4dbe3beab157c39c7e4c37c2a0e3ae013cad4

SHA512
58fb6aa609c2dee9eaa91c35e28ef95fb6a6001c35a91eb766281906d188550736d16ee401fd5bcd8fcece91e836133ad5212a676e4c88c62714f21c1695d52f

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
356bcdd2693b21c9699cee79696ddbbd

SHA1
fbcd89dba31cab0a1e60f1a550163b7b1118825a

SHA256
038c4659168dbe965511c016fec4dbe3beab157c39c7e4c37c2a0e3ae013cad4

SHA512
58fb6aa609c2dee9eaa91c35e28ef95fb6a6001c35a91eb766281906d188550736d16ee401fd5bcd8fcece91e836133ad5212a676e4c88c62714f21c1695d52f

Download Submit
memory/520-63-0x0000000000000000-mapping.dmp

Download
memory/680-59-0x0000000000000000-mapping.dmp

Download
memory/824-81-0x0000000000000000-mapping.dmp

Download
memory/1200-61-0x0000000000000000-mapping.dmp

Download
memory/1240-58-0x0000000000000000-mapping.dmp

Download
memory/1368-73-0x0000000000000000-mapping.dmp

Download
memory/1404-75-0x0000000000000000-mapping.dmp

Download
memory/1448-65-0x0000000000000000-mapping.dmp

Download
memory/1624-71-0x0000000000000000-mapping.dmp

Download
memory/1676-74-0x0000000000000000-mapping.dmp

Download
memory/1688-82-0x0000000000000000-mapping.dmp

Download
memory/1692-64-0x0000000000000000-mapping.dmp

Download
memory/1740-55-0x0000000000000000-mapping.dmp

Download
memory/1784-83-0x0000000000000000-mapping.dmp

Download
memory/1852-57-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2036-68-0x0000000074C61000-0x0000000074C63000-memory.dmp

Filesize
8KB

Download
memory/2036-60-0x0000000074FC1000-0x0000000074FC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads