67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f

General

Target

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
Size

27KB
MD5

291c6983919cf96defb04dc705d71b80
SHA1

ecaef7540497fadef77d80542a7633e2e7422bb8
SHA256

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f
SHA512

96e135ad1876464c10b7f50b752b8113da501100b9fc31159a8e837ece66a9e50efdf4c925ca35379ef2a5a5c8f2a16cdf43913840e53df3348dfed70f32702d
SSDEEP

768:ruM/sYxbXAVliI+xBA7fdz4qsS/eqk/k0:ruMhUbixUL9Cd

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2392 takeown.exe
1328 icacls.exe
2080 takeown.exe
3556 icacls.exe
744 takeown.exe
916 icacls.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

916 icacls.exe
2392 takeown.exe
1328 icacls.exe
2080 takeown.exe
3556 icacls.exe
744 takeown.exe

pid	process
2392	takeown.exe
1328	icacls.exe
2080	takeown.exe
3556	icacls.exe
744	takeown.exe
916	icacls.exe

pid	process
916	icacls.exe
2392	takeown.exe
1328	icacls.exe
2080	takeown.exe
3556	icacls.exe
744	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sxload.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\SysWOW64\123FFA.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\SysWOW64\1231DD6.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File opened for modification	C:\Windows\SysWOW64\1232401.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

Drops file in Program Files directory 1 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmxd.tmp 67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5100 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmxd.tmp	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

pid	process
5100	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

pid	process
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
Token: SeTakeOwnershipPrivilege	2392	takeown.exe
Token: SeDebugPrivilege	5100	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

pid	process
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4436 wrote to memory of 2156	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 2156	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 2156	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 2156 wrote to memory of 4460	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 4460	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 4460	2156	cmd.exe	cmd.exe
PID 4460 wrote to memory of 2392	4460	cmd.exe	takeown.exe
PID 4460 wrote to memory of 2392	4460	cmd.exe	takeown.exe
PID 4460 wrote to memory of 2392	4460	cmd.exe	takeown.exe
PID 2156 wrote to memory of 1328	2156	cmd.exe	icacls.exe
PID 2156 wrote to memory of 1328	2156	cmd.exe	icacls.exe
PID 2156 wrote to memory of 1328	2156	cmd.exe	icacls.exe
PID 4436 wrote to memory of 4868	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 4868	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 4868	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4868 wrote to memory of 3828	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 3828	4868	cmd.exe	cmd.exe
PID 4868 wrote to memory of 3828	4868	cmd.exe	cmd.exe
PID 3828 wrote to memory of 2080	3828	cmd.exe	takeown.exe
PID 3828 wrote to memory of 2080	3828	cmd.exe	takeown.exe
PID 3828 wrote to memory of 2080	3828	cmd.exe	takeown.exe
PID 4868 wrote to memory of 3556	4868	cmd.exe	icacls.exe
PID 4868 wrote to memory of 3556	4868	cmd.exe	icacls.exe
PID 4868 wrote to memory of 3556	4868	cmd.exe	icacls.exe
PID 4436 wrote to memory of 3716	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 3716	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 3716	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 3716 wrote to memory of 5064	3716	cmd.exe	cmd.exe
PID 3716 wrote to memory of 5064	3716	cmd.exe	cmd.exe
PID 3716 wrote to memory of 5064	3716	cmd.exe	cmd.exe
PID 5064 wrote to memory of 744	5064	cmd.exe	takeown.exe
PID 5064 wrote to memory of 744	5064	cmd.exe	takeown.exe
PID 5064 wrote to memory of 744	5064	cmd.exe	takeown.exe
PID 3716 wrote to memory of 916	3716	cmd.exe	icacls.exe
PID 3716 wrote to memory of 916	3716	cmd.exe	icacls.exe
PID 3716 wrote to memory of 916	3716	cmd.exe	icacls.exe
PID 4436 wrote to memory of 5100	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 4436 wrote to memory of 5100	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 4436 wrote to memory of 5100	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	taskkill.exe
PID 4436 wrote to memory of 3992	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 3992	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe
PID 4436 wrote to memory of 3992	4436	67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe
"C:\Users\Admin\AppData\Local\Temp\67382d2ccc2b1d509f43d9d51690c34ebb881148c3cba06bae8ff93ecd3ef53f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2080

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:744

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "maplestory.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
b84bbc273b9c1462ea67c2c2b4685b6f

SHA1
60c9a5a94099c536cda8c4267f4c030b39dc1de0

SHA256
ee0245ba98376c0822e61c6c22424553afb8185ed1e05782b7209dfa1c5c056e

SHA512
d4a718708eb0e79858d81c5b6a3c2135507ad853c0aba9e5578e4c49fd0a36fd873c46241af29f49ec01f2f78a2a845be1266774fe745cf0a0a7e5bf269c5d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
e3f75f63f56789e5a3edb85f17933594

SHA1
d4a9ad438971294099f1b14b67f2d2f33ca19498

SHA256
8c6cbc631ec4013a3b99726f6bcaf3f8e11cb3f64a3ebf68b6e0e69cfaad54ce

SHA512
bfb732a68b5c5072caa0d4303bfdbaf0a74ee6bcd1cb2dbb32e0bd041a6693beff641124be57dacf4e0e1886e5e2988bcbe1e597f5a4aa8933ed5dd2de4c1a34

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
ccc8b561f91537b54ea41ae10b60b2dc

SHA1
72c5bb4adf50cbcf9053b05ff35e5d8b97537305

SHA256
a3b573b45ad961bd358cf751f409fef62b9571c822fdeb6fd40fa64821f43271

SHA512
6e9f5e5638024bb704938bda9c0f686607e4c5530714ac684e74567d73d6b984dd06ced2d5b0f9fffc2b897aae2412cdf81dc1c78d611b829a89fdc559fe870f

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
e3f75f63f56789e5a3edb85f17933594

SHA1
d4a9ad438971294099f1b14b67f2d2f33ca19498

SHA256
8c6cbc631ec4013a3b99726f6bcaf3f8e11cb3f64a3ebf68b6e0e69cfaad54ce

SHA512
bfb732a68b5c5072caa0d4303bfdbaf0a74ee6bcd1cb2dbb32e0bd041a6693beff641124be57dacf4e0e1886e5e2988bcbe1e597f5a4aa8933ed5dd2de4c1a34

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
ccc8b561f91537b54ea41ae10b60b2dc

SHA1
72c5bb4adf50cbcf9053b05ff35e5d8b97537305

SHA256
a3b573b45ad961bd358cf751f409fef62b9571c822fdeb6fd40fa64821f43271

SHA512
6e9f5e5638024bb704938bda9c0f686607e4c5530714ac684e74567d73d6b984dd06ced2d5b0f9fffc2b897aae2412cdf81dc1c78d611b829a89fdc559fe870f

Download Submit
memory/744-147-0x0000000000000000-mapping.dmp

Download
memory/916-148-0x0000000000000000-mapping.dmp

Download
memory/1328-136-0x0000000000000000-mapping.dmp

Download
memory/2080-140-0x0000000000000000-mapping.dmp

Download
memory/2156-132-0x0000000000000000-mapping.dmp

Download
memory/2392-135-0x0000000000000000-mapping.dmp

Download
memory/3556-141-0x0000000000000000-mapping.dmp

Download
memory/3716-144-0x0000000000000000-mapping.dmp

Download
memory/3828-139-0x0000000000000000-mapping.dmp

Download
memory/3992-152-0x0000000000000000-mapping.dmp

Download
memory/4460-134-0x0000000000000000-mapping.dmp

Download
memory/4868-137-0x0000000000000000-mapping.dmp

Download
memory/5064-146-0x0000000000000000-mapping.dmp

Download
memory/5100-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads