dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475

General

Target

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
Size

26KB
MD5

dfa35b623474c00c8bec67e0b7083f1e
SHA1

f61e6cbe503c61e5e9365bee280f42ed74ae68a7
SHA256

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475
SHA512

e825fb9ef5ec4fe31da1cd4571b065087153c163781759e51a4ef582c73f095802012b8cbdc6fb90802a8ba82125cbf25f25b7632276255906f6290d36ac6747
SSDEEP

768:h2BOSJ9OeJp5njhsErEsiUvcWRgj5OU01uWGUekpNE:hslX1sErlzcDlOxQWGU

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4360 takeown.exe
2700 icacls.exe
4332 takeown.exe
4564 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

2700 icacls.exe
4332 takeown.exe
4564 icacls.exe
4360 takeown.exe

pid	process
4360	takeown.exe
2700	icacls.exe
4332	takeown.exe
4564	icacls.exe

pid	process
2700	icacls.exe
4332	takeown.exe
4564	icacls.exe
4360	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\SysWOW64\123EAC4.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\SysWOW64\123F015.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File created	C:\Windows\SysWOW64\sxload.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
File opened for modification	C:\Windows\SysWOW64\123DF98.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

Drops file in Program Files directory 1 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx918.tmp dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4588 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx918.tmp	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

pid	process
4588	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

pid	process
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
Token: SeTakeOwnershipPrivilege	4360	takeown.exe
Token: SeDebugPrivilege	4588	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

pid	process
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4644 wrote to memory of 4836	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 4836	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 4836	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4836 wrote to memory of 4620	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 4620	4836	cmd.exe	cmd.exe
PID 4836 wrote to memory of 4620	4836	cmd.exe	cmd.exe
PID 4620 wrote to memory of 4360	4620	cmd.exe	takeown.exe
PID 4620 wrote to memory of 4360	4620	cmd.exe	takeown.exe
PID 4620 wrote to memory of 4360	4620	cmd.exe	takeown.exe
PID 4836 wrote to memory of 2700	4836	cmd.exe	icacls.exe
PID 4836 wrote to memory of 2700	4836	cmd.exe	icacls.exe
PID 4836 wrote to memory of 2700	4836	cmd.exe	icacls.exe
PID 4644 wrote to memory of 4636	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 4636	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 4636	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 2252	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 2252	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 2252	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 2252 wrote to memory of 4232	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 4232	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 4232	2252	cmd.exe	cmd.exe
PID 4232 wrote to memory of 4332	4232	cmd.exe	takeown.exe
PID 4232 wrote to memory of 4332	4232	cmd.exe	takeown.exe
PID 4232 wrote to memory of 4332	4232	cmd.exe	takeown.exe
PID 2252 wrote to memory of 4564	2252	cmd.exe	icacls.exe
PID 2252 wrote to memory of 4564	2252	cmd.exe	icacls.exe
PID 2252 wrote to memory of 4564	2252	cmd.exe	icacls.exe
PID 4644 wrote to memory of 4588	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 4644 wrote to memory of 4588	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 4644 wrote to memory of 4588	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	taskkill.exe
PID 4644 wrote to memory of 4852	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 4852	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe
PID 4644 wrote to memory of 4852	4644	dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe
"C:\Users\Admin\AppData\Local\Temp\dcefece1d932e8465f5f1463bda712817b56cbfbc546c9043ca1f94fe6c67475.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4332

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "Game918.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:4852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
d5e100463ee08875bae13428aa7fbdc5

SHA1
a18ad0ec6656ea26837105f6e1cf32e6b2b5c0be

SHA256
06a77379ca85ec0970084b0027b24db8ff3d1aed5ff5869ed2436dd204f20234

SHA512
3f8a151c13a83b00e3786998846c068e4b542428a1ce1f8de4b43f4b5df0f75e34391fbe8e9f56df22a31c6099ebc534673c2ba288d40664ef31c1f1cc4a0de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\123DF98.tmp
Filesize
192KB

MD5
34153e39b10468c9ae8ec7f68dfbc423

SHA1
68e2cd47c99122786fb494453380ec8dd24bbf39

SHA256
5c2ba6d0d9578b3f18e27710a7b5f65d858c38448b201d29fde9d44ea7bfb9fd

SHA512
513bf7c8c8ffddc25b6989c88f1efb3e3079f81ca544cd27c99135f6fabd99578dccc1091e56e144e0436f99ede939565a52ca8f6fe08f3ad8b190d523a97820

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
aafe4cc189edd5a9808503eede104c85

SHA1
609dce661aff6d63e0a0f7bd8a4db024afeadfff

SHA256
fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5

SHA512
cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
9936cb0ca376b02afdad243af3d54cfe

SHA1
9f448a16fbc4b93e2642ab5fbd83d8b1417e37d6

SHA256
491bb277e0eeaf2cabdf9d129fce13c485e9b9e0c48a55c399fc869122ad9acf

SHA512
7e5a36e184709676578f76502f0f753b8e7031923af01e30985ac1daa3ea4c5bd0dda467036ee91461c9ce0808ea30c701e72a77a9426396b44ebd6e1a7eb478

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
9936cb0ca376b02afdad243af3d54cfe

SHA1
9f448a16fbc4b93e2642ab5fbd83d8b1417e37d6

SHA256
491bb277e0eeaf2cabdf9d129fce13c485e9b9e0c48a55c399fc869122ad9acf

SHA512
7e5a36e184709676578f76502f0f753b8e7031923af01e30985ac1daa3ea4c5bd0dda467036ee91461c9ce0808ea30c701e72a77a9426396b44ebd6e1a7eb478

Download Submit
memory/2252-139-0x0000000000000000-mapping.dmp

Download
memory/2700-136-0x0000000000000000-mapping.dmp

Download
memory/4232-141-0x0000000000000000-mapping.dmp

Download
memory/4332-142-0x0000000000000000-mapping.dmp

Download
memory/4360-135-0x0000000000000000-mapping.dmp

Download
memory/4564-143-0x0000000000000000-mapping.dmp

Download
memory/4588-148-0x0000000000000000-mapping.dmp

Download
memory/4620-134-0x0000000000000000-mapping.dmp

Download
memory/4636-138-0x0000000000000000-mapping.dmp

Download
memory/4836-132-0x0000000000000000-mapping.dmp

Download
memory/4852-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads