67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f

General

Target

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
Size

27KB
MD5

291c6983919cf96defb04dc705d71b80
SHA1

ecaef7540497fadef77d80542a7633e2e7422bb8
SHA256

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f
SHA512

96e135ad1876464c10b7f50b752b8113da501100b9fc31159a8e837ece66a9e50efdf4c925ca35379ef2a5a5c8f2a16cdf43913840e53df3348dfed70f32702d
SSDEEP

768:ruM/sYxbXAVliI+xBA7fdz4qsS/eqk/k0:ruMhUbixUL9Cd

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1312 icacls.exe
976 takeown.exe
340 icacls.exe
772 takeown.exe
780 icacls.exe
1492 takeown.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

552 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

976 takeown.exe
340 icacls.exe
772 takeown.exe
780 icacls.exe
1492 takeown.exe
1312 icacls.exe

pid	process
1312	icacls.exe
976	takeown.exe
340	icacls.exe
772	takeown.exe
780	icacls.exe
1492	takeown.exe

pid	process
552	cmd.exe

pid	process
976	takeown.exe
340	icacls.exe
772	takeown.exe
780	icacls.exe
1492	takeown.exe
1312	icacls.exe

Drops file in System32 directory 10 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\syswow64\123781F.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\syswow64\12399C4.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\SysWOW64\123679B.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\SysWOW64\123781F.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\SysWOW64\12399C4.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File created	C:\Windows\SysWOW64\sxload.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\syswow64\123679B.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

Drops file in Program Files directory 1 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmxd.tmp 67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

300 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

pid process

844 67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmxd.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

pid	process
300	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
Token: SeTakeOwnershipPrivilege	1492	takeown.exe
Token: SeDebugPrivilege	300	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

pid	process
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 1712	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 1712	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 1712	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 1712	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 1712 wrote to memory of 1584	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1584	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1584	1712	cmd.exe	cmd.exe
PID 1712 wrote to memory of 1584	1712	cmd.exe	cmd.exe
PID 1584 wrote to memory of 1492	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1492	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1492	1584	cmd.exe	takeown.exe
PID 1584 wrote to memory of 1492	1584	cmd.exe	takeown.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	icacls.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	icacls.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	icacls.exe
PID 1712 wrote to memory of 1312	1712	cmd.exe	icacls.exe
PID 844 wrote to memory of 268	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 268	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 268	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 268	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 268 wrote to memory of 1688	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1688	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1688	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1688	268	cmd.exe	cmd.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	takeown.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	takeown.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	takeown.exe
PID 1688 wrote to memory of 976	1688	cmd.exe	takeown.exe
PID 268 wrote to memory of 340	268	cmd.exe	icacls.exe
PID 268 wrote to memory of 340	268	cmd.exe	icacls.exe
PID 268 wrote to memory of 340	268	cmd.exe	icacls.exe
PID 268 wrote to memory of 340	268	cmd.exe	icacls.exe
PID 844 wrote to memory of 836	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 836	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 836	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 836	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 836 wrote to memory of 556	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 556	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 556	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 556	836	cmd.exe	cmd.exe
PID 556 wrote to memory of 772	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 772	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 772	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 772	556	cmd.exe	takeown.exe
PID 836 wrote to memory of 780	836	cmd.exe	icacls.exe
PID 836 wrote to memory of 780	836	cmd.exe	icacls.exe
PID 836 wrote to memory of 780	836	cmd.exe	icacls.exe
PID 836 wrote to memory of 780	836	cmd.exe	icacls.exe
PID 844 wrote to memory of 300	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 844 wrote to memory of 300	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 844 wrote to memory of 300	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 844 wrote to memory of 300	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 844 wrote to memory of 552	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 552	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 552	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 844 wrote to memory of 552	844	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
"C:\Users\Admin\AppData\Local\Temp\67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:976

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:340

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:772

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "maplestory.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
253B

MD5
b84bbc273b9c1462ea67c2c2b4685b6f

SHA1
60c9a5a94099c536cda8c4267f4c030b39dc1de0

SHA256
ee0245ba98376c0822e61c6c22424553afb8185ed1e05782b7209dfa1c5c056e

SHA512
d4a718708eb0e79858d81c5b6a3c2135507ad853c0aba9e5578e4c49fd0a36fd873c46241af29f49ec01f2f78a2a845be1266774fe745cf0a0a7e5bf269c5d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
101KB

MD5
f088aa0e173faa91bf4c9d7f03e19173

SHA1
4a41aa76adda7c1b9807e371d1b823322747bd3d

SHA256
1f1ca4f9eb93766253ddea4f6e010948b8a3048c63a580a6d2765ed959a3d98b

SHA512
8d97a0220116a422197da0528e0c542d133dd9e56d56c5e78b96ac8c9a59d188fcb945f2138d1530610b7887e91da4080c7c483cd1dcde4861d5d01224fecc12

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
11KB

MD5
f96c585709ec7596c14afa3a60fa9d7a

SHA1
681c1cc117abefb3c84ce78df002a43420fd8b6c

SHA256
2d7dec9af8ef7e6458417c0d66d5277c0c9642ffe126195a2db43cb81f192f03

SHA512
eb377b2e57dca47619849b67579c5716d9fc4959d0bf8471f49b3bd54afb6ab89bb928c8868191ea59be4c8541a9bd91490c6c60d15470d57c1b8a0df8d892a4

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll

Filesize
101KB

MD5
f088aa0e173faa91bf4c9d7f03e19173

SHA1
4a41aa76adda7c1b9807e371d1b823322747bd3d

SHA256
1f1ca4f9eb93766253ddea4f6e010948b8a3048c63a580a6d2765ed959a3d98b

SHA512
8d97a0220116a422197da0528e0c542d133dd9e56d56c5e78b96ac8c9a59d188fcb945f2138d1530610b7887e91da4080c7c483cd1dcde4861d5d01224fecc12

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
11KB

MD5
f96c585709ec7596c14afa3a60fa9d7a

SHA1
681c1cc117abefb3c84ce78df002a43420fd8b6c

SHA256
2d7dec9af8ef7e6458417c0d66d5277c0c9642ffe126195a2db43cb81f192f03

SHA512
eb377b2e57dca47619849b67579c5716d9fc4959d0bf8471f49b3bd54afb6ab89bb928c8868191ea59be4c8541a9bd91490c6c60d15470d57c1b8a0df8d892a4

Download Submit
memory/268-63-0x0000000000000000-mapping.dmp

Download
memory/300-81-0x0000000000000000-mapping.dmp

Download
memory/340-67-0x0000000000000000-mapping.dmp

Download
memory/552-82-0x0000000000000000-mapping.dmp

Download
memory/556-75-0x0000000000000000-mapping.dmp

Download
memory/772-76-0x0000000000000000-mapping.dmp

Download
memory/780-77-0x0000000000000000-mapping.dmp

Download
memory/836-73-0x0000000000000000-mapping.dmp

Download
memory/844-61-0x00000000741D1000-0x00000000741D3000-memory.dmp

Filesize
8KB

Download
memory/844-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/844-60-0x0000000074381000-0x0000000074383000-memory.dmp

Filesize
8KB

Download
memory/976-66-0x0000000000000000-mapping.dmp

Download
memory/1312-59-0x0000000000000000-mapping.dmp

Download
memory/1492-58-0x0000000000000000-mapping.dmp

Download
memory/1584-57-0x0000000000000000-mapping.dmp

Download
memory/1688-65-0x0000000000000000-mapping.dmp

Download
memory/1712-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads