dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475

General

Target

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
Size

26KB
MD5

dfa35b623474c00c8bec67e0b7083f1e
SHA1

f61e6cbe503c61e5e9365bee280f42ed74ae68a7
SHA256

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475
SHA512

e825fb9ef5ec4fe31da1cd4571b065087153c163781759e51a4ef582c73f095802012b8cbdc6fb90802a8ba82125cbf25f25b7632276255906f6290d36ac6747
SSDEEP

768:h2BOSJ9OeJp5njhsErEsiUvcWRgj5OU01uWGUekpNE:hslX1sErlzcDlOxQWGU

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1632 takeown.exe
568 icacls.exe
1276 takeown.exe
1500 icacls.exe
688 takeown.exe
676 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1792 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1276 takeown.exe
1500 icacls.exe
688 takeown.exe
676 icacls.exe
1632 takeown.exe
568 icacls.exe

pid	process
1632	takeown.exe
568	icacls.exe
1276	takeown.exe
1500	icacls.exe
688	takeown.exe
676	icacls.exe

pid	process
1792	cmd.exe

pid	process
1276	takeown.exe
1500	icacls.exe
688	takeown.exe
676	icacls.exe
1632	takeown.exe
568	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

description	ioc	process
File opened for modification	C:\Windows\syswow64\1231EE9.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\SysWOW64\1232CDE.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\syswow64\1232CDE.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\SysWOW64\123CEE.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\SysWOW64\1231EE9.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\sxload.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\syswow64\123CEE.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

Drops file in Program Files directory 1 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx918.tmp dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1984 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

pid process

1052 dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx918.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

pid	process
1984	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeDebugPrivilege	1984	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

pid	process
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 996	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 996	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 996	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 996	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 996 wrote to memory of 1700	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 1700	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 1700	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 1700	996	cmd.exe	cmd.exe
PID 1700 wrote to memory of 1276	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1276	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1276	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1276	1700	cmd.exe	takeown.exe
PID 996 wrote to memory of 1500	996	cmd.exe	icacls.exe
PID 996 wrote to memory of 1500	996	cmd.exe	icacls.exe
PID 996 wrote to memory of 1500	996	cmd.exe	icacls.exe
PID 996 wrote to memory of 1500	996	cmd.exe	icacls.exe
PID 1052 wrote to memory of 776	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 776	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 776	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 776	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 776 wrote to memory of 940	776	cmd.exe	cmd.exe
PID 776 wrote to memory of 940	776	cmd.exe	cmd.exe
PID 776 wrote to memory of 940	776	cmd.exe	cmd.exe
PID 776 wrote to memory of 940	776	cmd.exe	cmd.exe
PID 940 wrote to memory of 688	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 688	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 688	940	cmd.exe	takeown.exe
PID 940 wrote to memory of 688	940	cmd.exe	takeown.exe
PID 776 wrote to memory of 676	776	cmd.exe	icacls.exe
PID 776 wrote to memory of 676	776	cmd.exe	icacls.exe
PID 776 wrote to memory of 676	776	cmd.exe	icacls.exe
PID 776 wrote to memory of 676	776	cmd.exe	icacls.exe
PID 1052 wrote to memory of 968	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 968	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 968	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 968	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 968 wrote to memory of 864	968	cmd.exe	cmd.exe
PID 968 wrote to memory of 864	968	cmd.exe	cmd.exe
PID 968 wrote to memory of 864	968	cmd.exe	cmd.exe
PID 968 wrote to memory of 864	968	cmd.exe	cmd.exe
PID 864 wrote to memory of 1632	864	cmd.exe	takeown.exe
PID 864 wrote to memory of 1632	864	cmd.exe	takeown.exe
PID 864 wrote to memory of 1632	864	cmd.exe	takeown.exe
PID 864 wrote to memory of 1632	864	cmd.exe	takeown.exe
PID 968 wrote to memory of 568	968	cmd.exe	icacls.exe
PID 968 wrote to memory of 568	968	cmd.exe	icacls.exe
PID 968 wrote to memory of 568	968	cmd.exe	icacls.exe
PID 968 wrote to memory of 568	968	cmd.exe	icacls.exe
PID 1052 wrote to memory of 1984	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 1052 wrote to memory of 1984	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 1052 wrote to memory of 1984	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 1052 wrote to memory of 1984	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 1052 wrote to memory of 1792	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 1792	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 1792	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 1052 wrote to memory of 1792	1052	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
"C:\Users\Admin\AppData\Local\Temp\dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:688

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:676

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1632

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "Game918.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1792

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
d5e100463ee08875bae13428aa7fbdc5

SHA1
a18ad0ec6656ea26837105f6e1cf32e6b2b5c0be

SHA256
06a77379ca85ec0970084b0027b24db8ff3d1aed5ff5869ed2436dd204f20234

SHA512
3f8a151c13a83b00e3786998846c068e4b542428a1ce1f8de4b43f4b5df0f75e34391fbe8e9f56df22a31c6099ebc534673c2ba288d40664ef31c1f1cc4a0de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
101KB

MD5
a700ae6bd802b5a6b142884c281bf490

SHA1
b58bbcf2ca7372d03a36cc12f61a1550e4500700

SHA256
1d828f02d67ea939f85adce835027a039ee6d7ea810e7df692ff9f5e96dad40c

SHA512
6007d46d17d6f13a2ba4332d873e0e9f01c3bb7bddf92061d07cc406d132755fee55dd9df560e6394075e995ea8b80609b0956b8707da1726ff2fb7a3c410584

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
cddf10bcfb67b5c85c26b592fe5d9e5f

SHA1
f5288a629ea2a4790fc99627e9faa1c66cfabb28

SHA256
f0190e3604ba8d576eb254fa9ee51c3bd0851012aed993e96519e7d9daadb623

SHA512
641a982840593bcaefcbe60a3a6f669017ec8737c04cbeffb827f116c9f59ebe62724c0a5a3cafd843e0630d701820ddf5b2af8bf8bbb9fab47bff8b9172b5f2

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
101KB

MD5
a700ae6bd802b5a6b142884c281bf490

SHA1
b58bbcf2ca7372d03a36cc12f61a1550e4500700

SHA256
1d828f02d67ea939f85adce835027a039ee6d7ea810e7df692ff9f5e96dad40c

SHA512
6007d46d17d6f13a2ba4332d873e0e9f01c3bb7bddf92061d07cc406d132755fee55dd9df560e6394075e995ea8b80609b0956b8707da1726ff2fb7a3c410584

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
cddf10bcfb67b5c85c26b592fe5d9e5f

SHA1
f5288a629ea2a4790fc99627e9faa1c66cfabb28

SHA256
f0190e3604ba8d576eb254fa9ee51c3bd0851012aed993e96519e7d9daadb623

SHA512
641a982840593bcaefcbe60a3a6f669017ec8737c04cbeffb827f116c9f59ebe62724c0a5a3cafd843e0630d701820ddf5b2af8bf8bbb9fab47bff8b9172b5f2

Download Submit
memory/568-77-0x0000000000000000-mapping.dmp

Download
memory/676-67-0x0000000000000000-mapping.dmp

Download
memory/688-66-0x0000000000000000-mapping.dmp

Download
memory/776-63-0x0000000000000000-mapping.dmp

Download
memory/864-75-0x0000000000000000-mapping.dmp

Download
memory/940-65-0x0000000000000000-mapping.dmp

Download
memory/968-73-0x0000000000000000-mapping.dmp

Download
memory/996-55-0x0000000000000000-mapping.dmp

Download
memory/1052-60-0x0000000074721000-0x0000000074723000-memory.dmp

Filesize
8KB

Download
memory/1052-61-0x0000000074571000-0x0000000074573000-memory.dmp

Filesize
8KB

Download
memory/1052-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1276-58-0x0000000000000000-mapping.dmp

Download
memory/1500-59-0x0000000000000000-mapping.dmp

Download
memory/1632-76-0x0000000000000000-mapping.dmp

Download
memory/1700-57-0x0000000000000000-mapping.dmp

Download
memory/1792-84-0x0000000000000000-mapping.dmp

Download
memory/1984-83-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads