651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9

General

Target

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
Size

29KB
MD5

fbf1d90a7ff72d276b094ca59108c7c0
SHA1

6695a10151b261fd9386638eda967a0b12099d83
SHA256

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9
SHA512

f688ff5fd62eed3eddd7d186dd76b8d031671a4936f44f342dfb46ac8560b6c2a0dbbe207db888ba5f5e256cd9725fecb1473242327ffe054f3de30a0a7c2e7d
SSDEEP

768:wvO0qWTN1Zxe3Xbx+yUBdbWzJjDmL/fqbGBnYbX4e40YLf:ktN18QT9mJjC/fqbGdYbX4L0Y

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

4936 icacls.exe
4556 takeown.exe
1764 icacls.exe
1392 takeown.exe
4224 icacls.exe
4904 takeown.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1764 icacls.exe
1392 takeown.exe
4224 icacls.exe
4904 takeown.exe
4936 icacls.exe
4556 takeown.exe

pid	process
4936	icacls.exe
4556	takeown.exe
1764	icacls.exe
1392	takeown.exe
4224	icacls.exe
4904	takeown.exe

pid	process
1764	icacls.exe
1392	takeown.exe
4224	icacls.exe
4904	takeown.exe
4936	icacls.exe
4556	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1234325.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\SysWOW64\1234931.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\sxload.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File opened for modification	C:\Windows\SysWOW64\12333D2.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

Drops file in Program Files directory 1 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxlzg.tmp 651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3940 taskkill.exe
4788 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxlzg.tmp	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

pid	process
3940	taskkill.exe
4788	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

pid	process
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
Token: SeTakeOwnershipPrivilege	4904	takeown.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

pid	process
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 3244	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 3244	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 3244	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3244 wrote to memory of 3092	3244	cmd.exe	cmd.exe
PID 3244 wrote to memory of 3092	3244	cmd.exe	cmd.exe
PID 3244 wrote to memory of 3092	3244	cmd.exe	cmd.exe
PID 3092 wrote to memory of 4904	3092	cmd.exe	takeown.exe
PID 3092 wrote to memory of 4904	3092	cmd.exe	takeown.exe
PID 3092 wrote to memory of 4904	3092	cmd.exe	takeown.exe
PID 3244 wrote to memory of 4936	3244	cmd.exe	icacls.exe
PID 3244 wrote to memory of 4936	3244	cmd.exe	icacls.exe
PID 3244 wrote to memory of 4936	3244	cmd.exe	icacls.exe
PID 3068 wrote to memory of 4324	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 4324	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 4324	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 4324 wrote to memory of 4296	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 4296	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 4296	4324	cmd.exe	cmd.exe
PID 4296 wrote to memory of 4556	4296	cmd.exe	takeown.exe
PID 4296 wrote to memory of 4556	4296	cmd.exe	takeown.exe
PID 4296 wrote to memory of 4556	4296	cmd.exe	takeown.exe
PID 4324 wrote to memory of 1764	4324	cmd.exe	icacls.exe
PID 4324 wrote to memory of 1764	4324	cmd.exe	icacls.exe
PID 4324 wrote to memory of 1764	4324	cmd.exe	icacls.exe
PID 3068 wrote to memory of 5008	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 5008	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 5008	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 5008 wrote to memory of 1116	5008	cmd.exe	cmd.exe
PID 5008 wrote to memory of 1116	5008	cmd.exe	cmd.exe
PID 5008 wrote to memory of 1116	5008	cmd.exe	cmd.exe
PID 1116 wrote to memory of 1392	1116	cmd.exe	takeown.exe
PID 1116 wrote to memory of 1392	1116	cmd.exe	takeown.exe
PID 1116 wrote to memory of 1392	1116	cmd.exe	takeown.exe
PID 5008 wrote to memory of 4224	5008	cmd.exe	icacls.exe
PID 5008 wrote to memory of 4224	5008	cmd.exe	icacls.exe
PID 5008 wrote to memory of 4224	5008	cmd.exe	icacls.exe
PID 3068 wrote to memory of 3940	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 3068 wrote to memory of 3940	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 3068 wrote to memory of 3940	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 3068 wrote to memory of 4788	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 3068 wrote to memory of 4788	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 3068 wrote to memory of 4788	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	taskkill.exe
PID 3068 wrote to memory of 3716	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 3716	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe
PID 3068 wrote to memory of 3716	3068	651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe
"C:\Users\Admin\AppData\Local\Temp\651e945d83321c7a357e4435c994e76a76e5afc714f2fbb431b7fd39f993acf9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4556

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "DragonNest.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "sdologin.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
99ae74f356b9261715db5e2b0a0f6279

SHA1
770eacd6af34db2885e3b4cf76a86a10fbf3bd88

SHA256
74be0f623870c717555f6d455ba64a8596067b033a9d2385d88ed1472beedfe1

SHA512
09a37eb99cdf1a4ad0bf3b119cc0283251c803db8e65075b53edf46877fb80490724e29231c568e32f835334f624a2266cf69c51f977ee3b822b023cbdaebd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
c5aeb7380529d5a609517e724bcf54fc

SHA1
f0af09b6abb466bfa80e60fa705af5e665e2a4a3

SHA256
7069b1d3c2a83a731e07e8a9bc068c0460dece876e46c883da86660da4c7ebd1

SHA512
ba1f2af12e6ce7d5a5db00f48193b1888d2352e7459a38f0cf310d5df82806b58c9e72d9208ab9e3fe66a161e09a614b01cbbb823d1a1046f5dd6ae234b0cbcc

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
e8e5bb24636ba0fb68e42defc8fd5a85

SHA1
7a6042c4b5c43f2066adde46f43e63e5a697729e

SHA256
c69d6190423cf0f2b81acf2745200b7009a5d6ef0f1845351cedf72587794517

SHA512
2dc4b0ecd185c4432fec463d916b9513280ebcf295dba84338d6677611c854d2e5c244885c969c85864f7e3d7eb801e10a8f34202fb7eb768671fa49bf756471

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
c5aeb7380529d5a609517e724bcf54fc

SHA1
f0af09b6abb466bfa80e60fa705af5e665e2a4a3

SHA256
7069b1d3c2a83a731e07e8a9bc068c0460dece876e46c883da86660da4c7ebd1

SHA512
ba1f2af12e6ce7d5a5db00f48193b1888d2352e7459a38f0cf310d5df82806b58c9e72d9208ab9e3fe66a161e09a614b01cbbb823d1a1046f5dd6ae234b0cbcc

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
e8e5bb24636ba0fb68e42defc8fd5a85

SHA1
7a6042c4b5c43f2066adde46f43e63e5a697729e

SHA256
c69d6190423cf0f2b81acf2745200b7009a5d6ef0f1845351cedf72587794517

SHA512
2dc4b0ecd185c4432fec463d916b9513280ebcf295dba84338d6677611c854d2e5c244885c969c85864f7e3d7eb801e10a8f34202fb7eb768671fa49bf756471

Download Submit
memory/1116-146-0x0000000000000000-mapping.dmp

Download
memory/1392-147-0x0000000000000000-mapping.dmp

Download
memory/1764-141-0x0000000000000000-mapping.dmp

Download
memory/3092-134-0x0000000000000000-mapping.dmp

Download
memory/3244-132-0x0000000000000000-mapping.dmp

Download
memory/3716-153-0x0000000000000000-mapping.dmp

Download
memory/3940-151-0x0000000000000000-mapping.dmp

Download
memory/4224-148-0x0000000000000000-mapping.dmp

Download
memory/4296-139-0x0000000000000000-mapping.dmp

Download
memory/4324-137-0x0000000000000000-mapping.dmp

Download
memory/4556-140-0x0000000000000000-mapping.dmp

Download
memory/4788-152-0x0000000000000000-mapping.dmp

Download
memory/4904-135-0x0000000000000000-mapping.dmp

Download
memory/4936-136-0x0000000000000000-mapping.dmp

Download
memory/5008-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads