2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84

General

Target

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
Size

26KB
MD5

b61c194ce676d3965901a8d0c93969a0
SHA1

d71dc8b82c57e634153849ae6d2be422d1cb9a7e
SHA256

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84
SHA512

613f9e11754c9a9248796ec691e812e000c77743d5b1b1a886cdb8a545c0da5fb5d71059d3fb5f4dc6153b14d4f386aea43b17c43a0ca1e1ecb965c92b582e33
SSDEEP

384:JlgMKBbsAGJt0l0OQL8nj9vvFnVoOVYI/q8qJj9LGb4GT79wLmibpFHH8W76S:JOtuzJCSOq8hFnyOzSMfT7SmoT6S

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1184 takeown.exe
904 icacls.exe
1680 takeown.exe
1804 icacls.exe
1736 takeown.exe
804 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1964 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1680 takeown.exe
1804 icacls.exe
1736 takeown.exe
804 icacls.exe
1184 takeown.exe
904 icacls.exe

pid	process
1184	takeown.exe
904	icacls.exe
1680	takeown.exe
1804	icacls.exe
1736	takeown.exe
804	icacls.exe

pid	process
1964	cmd.exe

pid	process
1680	takeown.exe
1804	icacls.exe
1736	takeown.exe
804	icacls.exe
1184	takeown.exe
904	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

description	ioc	process
File opened for modification	C:\Windows\syswow64\123CD42.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File opened for modification	C:\Windows\syswow64\1237F30.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File opened for modification	C:\Windows\syswow64\1238C7A.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File opened for modification	C:\Windows\SysWOW64\123CD42.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File created	C:\Windows\SysWOW64\sxload.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File opened for modification	C:\Windows\SysWOW64\1237F30.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
File opened for modification	C:\Windows\SysWOW64\1238C7A.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

Drops file in Program Files directory 1 IoCs

Processes:

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxqsg.tmp 2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1976 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

pid process

1524 2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxqsg.tmp	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

pid	process
1976	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeDebugPrivilege	1976	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

pid	process
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 1356	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1356	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1356	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1356	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1356 wrote to memory of 652	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 652	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 652	1356	cmd.exe	cmd.exe
PID 1356 wrote to memory of 652	1356	cmd.exe	cmd.exe
PID 652 wrote to memory of 1184	652	cmd.exe	takeown.exe
PID 652 wrote to memory of 1184	652	cmd.exe	takeown.exe
PID 652 wrote to memory of 1184	652	cmd.exe	takeown.exe
PID 652 wrote to memory of 1184	652	cmd.exe	takeown.exe
PID 1356 wrote to memory of 904	1356	cmd.exe	icacls.exe
PID 1356 wrote to memory of 904	1356	cmd.exe	icacls.exe
PID 1356 wrote to memory of 904	1356	cmd.exe	icacls.exe
PID 1356 wrote to memory of 904	1356	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1412	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1412	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1412	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1412	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1412 wrote to memory of 968	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 968	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 968	1412	cmd.exe	cmd.exe
PID 1412 wrote to memory of 968	1412	cmd.exe	cmd.exe
PID 968 wrote to memory of 1680	968	cmd.exe	takeown.exe
PID 968 wrote to memory of 1680	968	cmd.exe	takeown.exe
PID 968 wrote to memory of 1680	968	cmd.exe	takeown.exe
PID 968 wrote to memory of 1680	968	cmd.exe	takeown.exe
PID 1412 wrote to memory of 1804	1412	cmd.exe	icacls.exe
PID 1412 wrote to memory of 1804	1412	cmd.exe	icacls.exe
PID 1412 wrote to memory of 1804	1412	cmd.exe	icacls.exe
PID 1412 wrote to memory of 1804	1412	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1132	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1132	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1132	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1132	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1132 wrote to memory of 620	1132	cmd.exe	cmd.exe
PID 1132 wrote to memory of 620	1132	cmd.exe	cmd.exe
PID 1132 wrote to memory of 620	1132	cmd.exe	cmd.exe
PID 1132 wrote to memory of 620	1132	cmd.exe	cmd.exe
PID 620 wrote to memory of 1736	620	cmd.exe	takeown.exe
PID 620 wrote to memory of 1736	620	cmd.exe	takeown.exe
PID 620 wrote to memory of 1736	620	cmd.exe	takeown.exe
PID 620 wrote to memory of 1736	620	cmd.exe	takeown.exe
PID 1132 wrote to memory of 804	1132	cmd.exe	icacls.exe
PID 1132 wrote to memory of 804	1132	cmd.exe	icacls.exe
PID 1132 wrote to memory of 804	1132	cmd.exe	icacls.exe
PID 1132 wrote to memory of 804	1132	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1976	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	taskkill.exe
PID 1524 wrote to memory of 1976	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	taskkill.exe
PID 1524 wrote to memory of 1976	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	taskkill.exe
PID 1524 wrote to memory of 1976	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	taskkill.exe
PID 1524 wrote to memory of 1964	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1964	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1964	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe
PID 1524 wrote to memory of 1964	1524	2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe
"C:\Users\Admin\AppData\Local\Temp\2898bed33504d72adb0a8f7b0b9f2471785b93ea5073a0705ae3c6dbe9523e84.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1680

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1736

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "QQSG.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1964

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
e4a57207ac3f23ecb8c0f0186f8d56a3

SHA1
473e7f0c4a4899d6070021a11d0500d5f5ad42e5

SHA256
b52609877bad59d2f434825d6316089a8377012e7a8e95d34e50f8d40f04a682

SHA512
74078394752eea8ce2deb13cea9c6bdc6f09764629af3adde05e8d493387fb7ddda8f91f844dc95877f26372f67d2615f707f5a0f3df79856c1643978b82a7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
101KB

MD5
0af23ae85dc7a49d1c15c219b010b67a

SHA1
1071a6ec0c9fb52150bcddf972782b312cf80d78

SHA256
31e1a0611a44c8f3b2d79d04f6309e3960cd465a46b24a7c3cfea4f344b19958

SHA512
2ed2e9ced2f0ae1e2532a8f7b862cacd4277a50e7aa4bc884bd21e793c56f3fc783e5052b4fa2c028760b07de263bfa31a0d0bd073f540c86fa7a36c9f27785d

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
c976090afd0cc9ccb6ddaddf5fbaeb42

SHA1
af4316318a1ee4874e383eea062f402c19c7f6ba

SHA256
8cd51d10f75634258f7dfc3b3595e9aff9868f674e43e9452efa33df48c40e63

SHA512
72ab428290b7797a525d6ad9a897ae4c0d61d5d6a96cda0a8bbc8f5cd41db52b5bd086798a53dd7510f1309c6e4b8eff7dcb4b439c6bcaec7e0ff3aab1eb0c1b

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
101KB

MD5
0af23ae85dc7a49d1c15c219b010b67a

SHA1
1071a6ec0c9fb52150bcddf972782b312cf80d78

SHA256
31e1a0611a44c8f3b2d79d04f6309e3960cd465a46b24a7c3cfea4f344b19958

SHA512
2ed2e9ced2f0ae1e2532a8f7b862cacd4277a50e7aa4bc884bd21e793c56f3fc783e5052b4fa2c028760b07de263bfa31a0d0bd073f540c86fa7a36c9f27785d

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
c976090afd0cc9ccb6ddaddf5fbaeb42

SHA1
af4316318a1ee4874e383eea062f402c19c7f6ba

SHA256
8cd51d10f75634258f7dfc3b3595e9aff9868f674e43e9452efa33df48c40e63

SHA512
72ab428290b7797a525d6ad9a897ae4c0d61d5d6a96cda0a8bbc8f5cd41db52b5bd086798a53dd7510f1309c6e4b8eff7dcb4b439c6bcaec7e0ff3aab1eb0c1b

Download Submit
memory/620-75-0x0000000000000000-mapping.dmp

Download
memory/652-57-0x0000000000000000-mapping.dmp

Download
memory/804-77-0x0000000000000000-mapping.dmp

Download
memory/904-59-0x0000000000000000-mapping.dmp

Download
memory/968-65-0x0000000000000000-mapping.dmp

Download
memory/1132-73-0x0000000000000000-mapping.dmp

Download
memory/1184-58-0x0000000000000000-mapping.dmp

Download
memory/1356-55-0x0000000000000000-mapping.dmp

Download
memory/1412-63-0x0000000000000000-mapping.dmp

Download
memory/1524-80-0x00000000740E1000-0x00000000740E3000-memory.dmp

Filesize
8KB

Download
memory/1524-61-0x00000000743E1000-0x00000000743E3000-memory.dmp

Filesize
8KB

Download
memory/1524-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1524-60-0x0000000074591000-0x0000000074593000-memory.dmp

Filesize
8KB

Download
memory/1680-66-0x0000000000000000-mapping.dmp

Download
memory/1736-76-0x0000000000000000-mapping.dmp

Download
memory/1804-67-0x0000000000000000-mapping.dmp

Download
memory/1964-83-0x0000000000000000-mapping.dmp

Download
memory/1976-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads