25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca

General

Target

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
Size

29KB
MD5

c196d786a061ac05f9545dd5824d7a62
SHA1

99c1bd4c85d1276fd4ddb502e924b0f65a0449a5
SHA256

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca
SHA512

dad86eba441ffbd832873fdb24e7631bcba270d5b809ed82b757d9e35a2d6b7cc32965c73ff91efd94c4db08e795117148ebfe917384dd6c8ec28652dcc5acbb
SSDEEP

384:YzdDhvRpxaD2uq96bcuZr775Lz71oQXDX4CcqhY0IZFk+Sde3nPG3CRJrG8O7kB:iZod+atLzxoaHcqpIkPI+Ui8kkB

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

820 takeown.exe
1048 icacls.exe
1872 takeown.exe
2004 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

524 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1048 icacls.exe
1872 takeown.exe
2004 icacls.exe
820 takeown.exe

pid	process
820	takeown.exe
1048	icacls.exe
1872	takeown.exe
2004	icacls.exe

pid	process
524	cmd.exe

pid	process
1048	icacls.exe
1872	takeown.exe
2004	icacls.exe
820	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1232963.tmp	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
File opened for modification	C:\Windows\syswow64\1232963.tmp	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
File opened for modification	C:\Windows\SysWOW64\1233804.tmp	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
File opened for modification	C:\Windows\syswow64\1233804.tmp	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
File created	C:\Windows\SysWOW64\sxload.tmp	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

Drops file in Program Files directory 1 IoCs

Processes:

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxzt2.tmp 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1560 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

pid process

856 25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxzt2.tmp	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

pid	process
1560	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
Token: SeTakeOwnershipPrivilege	820	takeown.exe
Token: SeDebugPrivilege	1560	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

pid	process
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 856 wrote to memory of 1104	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 1104	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 1104	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 1104	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 1104 wrote to memory of 936	1104	cmd.exe	cmd.exe
PID 1104 wrote to memory of 936	1104	cmd.exe	cmd.exe
PID 1104 wrote to memory of 936	1104	cmd.exe	cmd.exe
PID 1104 wrote to memory of 936	1104	cmd.exe	cmd.exe
PID 936 wrote to memory of 820	936	cmd.exe	takeown.exe
PID 936 wrote to memory of 820	936	cmd.exe	takeown.exe
PID 936 wrote to memory of 820	936	cmd.exe	takeown.exe
PID 936 wrote to memory of 820	936	cmd.exe	takeown.exe
PID 1104 wrote to memory of 1048	1104	cmd.exe	icacls.exe
PID 1104 wrote to memory of 1048	1104	cmd.exe	icacls.exe
PID 1104 wrote to memory of 1048	1104	cmd.exe	icacls.exe
PID 1104 wrote to memory of 1048	1104	cmd.exe	icacls.exe
PID 856 wrote to memory of 1020	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 1020	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 1020	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 1020	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 1020 wrote to memory of 572	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 572	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 572	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 572	1020	cmd.exe	cmd.exe
PID 572 wrote to memory of 1872	572	cmd.exe	takeown.exe
PID 572 wrote to memory of 1872	572	cmd.exe	takeown.exe
PID 572 wrote to memory of 1872	572	cmd.exe	takeown.exe
PID 572 wrote to memory of 1872	572	cmd.exe	takeown.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	icacls.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	icacls.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	icacls.exe
PID 1020 wrote to memory of 2004	1020	cmd.exe	icacls.exe
PID 856 wrote to memory of 1560	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	taskkill.exe
PID 856 wrote to memory of 1560	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	taskkill.exe
PID 856 wrote to memory of 1560	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	taskkill.exe
PID 856 wrote to memory of 1560	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	taskkill.exe
PID 856 wrote to memory of 524	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 524	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 524	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe
PID 856 wrote to memory of 524	856	25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe
"C:\Users\Admin\AppData\Local\Temp\25ca3b510f4fcf9ff68a842b97ce57ea17d3784337012b3e7c674b9ff9b01bca.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1048

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "zhengtu2.dat"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:524

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
f4d20f7a63ccb80d4c980935c0b39b0c

SHA1
4763f70872c293ce4a4d617de55ebb0ff3ccf7bc

SHA256
70c13a66b4eeba3f8012cd48d17b98f31b601a4427e55e192be5a783e6bf81e5

SHA512
c406975c25e9e55004fb73a07cd73a6035ceec0702442a13fd33912266634c5eb8a56ad141065cc75545e533477d4fa4ef3681c300a6d653aac7d64663aa8a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
5196a8ad60443db7b57e5c742b545154

SHA1
9bbd9d8604ccb95b3e753ebac5ce3efb9fa4496c

SHA256
a03ceab4de64945f89d51da7c49b75e778d947c1ae83d98cdf201e24690ce2ab

SHA512
810f327859cc5f54ebed93b28dff785513efffc891d0e1829c0f468d7c315d6ba5600a91e18c23b02a5cbf04ba250bd2e40e9cea1d356b190d4e5894b355c4a8

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
5196a8ad60443db7b57e5c742b545154

SHA1
9bbd9d8604ccb95b3e753ebac5ce3efb9fa4496c

SHA256
a03ceab4de64945f89d51da7c49b75e778d947c1ae83d98cdf201e24690ce2ab

SHA512
810f327859cc5f54ebed93b28dff785513efffc891d0e1829c0f468d7c315d6ba5600a91e18c23b02a5cbf04ba250bd2e40e9cea1d356b190d4e5894b355c4a8

Download Submit
memory/524-74-0x0000000000000000-mapping.dmp

Download
memory/572-65-0x0000000000000000-mapping.dmp

Download
memory/820-58-0x0000000000000000-mapping.dmp

Download
memory/856-60-0x0000000074C61000-0x0000000074C63000-memory.dmp

Filesize
8KB

Download
memory/856-61-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/1020-63-0x0000000000000000-mapping.dmp

Download
memory/1048-59-0x0000000000000000-mapping.dmp

Download
memory/1104-55-0x0000000000000000-mapping.dmp

Download
memory/1560-73-0x0000000000000000-mapping.dmp

Download
memory/1872-66-0x0000000000000000-mapping.dmp

Download
memory/2004-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads