8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc

General

Target

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
Size

24KB
MD5

9a70f898baa94812d9810595c09c413b
SHA1

11b8602b99b7ba71d834c9a16aef5209836cf718
SHA256

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc
SHA512

a2f3a231b2c4e66855abe8a5c58050c2f3fbf6b8dbbf01bdbdb17008e8d0ee73268b8510a2feb484ce47637ae25a60812d4a748c6952484623abaee1af7ecaf7
SSDEEP

768:GvEwVMWLfB0DXrUk1T6y/vLEtMhv+bMauUrdEMzV:mVxLfw1TGyv+XbpEQ

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1920 icacls.exe
1800 takeown.exe
556 icacls.exe
1544 takeown.exe
1592 icacls.exe
588 takeown.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1736 cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1920 icacls.exe
1800 takeown.exe
556 icacls.exe
1544 takeown.exe
1592 icacls.exe
588 takeown.exe

pid	process
1920	icacls.exe
1800	takeown.exe
556	icacls.exe
1544	takeown.exe
1592	icacls.exe
588	takeown.exe

pid	process
1736	cmd.exe

pid	process
1920	icacls.exe
1800	takeown.exe
556	icacls.exe
1544	takeown.exe
1592	icacls.exe
588	takeown.exe

Drops file in System32 directory 10 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sxload.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\SysWOW64\123875A.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\syswow64\123875A.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\syswow64\1239753.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\syswow64\123A567.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\SysWOW64\1239753.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
File opened for modification	C:\Windows\SysWOW64\123A567.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

Drops file in Program Files directory 1 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxcs.tmp 8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1672 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

pid process

816 8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxcs.tmp	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

pid	process
1672	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
Token: SeTakeOwnershipPrivilege	1544	takeown.exe
Token: SeDebugPrivilege	1672	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

pid	process
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 1352	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1352	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1352	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1352	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 1352 wrote to memory of 1752	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 1752	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 1752	1352	cmd.exe	cmd.exe
PID 1352 wrote to memory of 1752	1352	cmd.exe	cmd.exe
PID 1752 wrote to memory of 1544	1752	cmd.exe	takeown.exe
PID 1752 wrote to memory of 1544	1752	cmd.exe	takeown.exe
PID 1752 wrote to memory of 1544	1752	cmd.exe	takeown.exe
PID 1752 wrote to memory of 1544	1752	cmd.exe	takeown.exe
PID 1352 wrote to memory of 1592	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 1592	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 1592	1352	cmd.exe	icacls.exe
PID 1352 wrote to memory of 1592	1352	cmd.exe	icacls.exe
PID 816 wrote to memory of 908	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 908	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 908	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 908	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 908 wrote to memory of 592	908	cmd.exe	cmd.exe
PID 908 wrote to memory of 592	908	cmd.exe	cmd.exe
PID 908 wrote to memory of 592	908	cmd.exe	cmd.exe
PID 908 wrote to memory of 592	908	cmd.exe	cmd.exe
PID 592 wrote to memory of 588	592	cmd.exe	takeown.exe
PID 592 wrote to memory of 588	592	cmd.exe	takeown.exe
PID 592 wrote to memory of 588	592	cmd.exe	takeown.exe
PID 592 wrote to memory of 588	592	cmd.exe	takeown.exe
PID 908 wrote to memory of 1920	908	cmd.exe	icacls.exe
PID 908 wrote to memory of 1920	908	cmd.exe	icacls.exe
PID 908 wrote to memory of 1920	908	cmd.exe	icacls.exe
PID 908 wrote to memory of 1920	908	cmd.exe	icacls.exe
PID 816 wrote to memory of 1052	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1052	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1052	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1052	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 1052 wrote to memory of 1000	1052	cmd.exe	cmd.exe
PID 1052 wrote to memory of 1000	1052	cmd.exe	cmd.exe
PID 1052 wrote to memory of 1000	1052	cmd.exe	cmd.exe
PID 1052 wrote to memory of 1000	1052	cmd.exe	cmd.exe
PID 1000 wrote to memory of 1800	1000	cmd.exe	takeown.exe
PID 1000 wrote to memory of 1800	1000	cmd.exe	takeown.exe
PID 1000 wrote to memory of 1800	1000	cmd.exe	takeown.exe
PID 1000 wrote to memory of 1800	1000	cmd.exe	takeown.exe
PID 1052 wrote to memory of 556	1052	cmd.exe	icacls.exe
PID 1052 wrote to memory of 556	1052	cmd.exe	icacls.exe
PID 1052 wrote to memory of 556	1052	cmd.exe	icacls.exe
PID 1052 wrote to memory of 556	1052	cmd.exe	icacls.exe
PID 816 wrote to memory of 1672	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 816 wrote to memory of 1672	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 816 wrote to memory of 1672	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 816 wrote to memory of 1672	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	taskkill.exe
PID 816 wrote to memory of 1736	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1736	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1736	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe
PID 816 wrote to memory of 1736	816	8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe
"C:\Users\Admin\AppData\Local\Temp\8b11e2aa748a26f8e41a484e66d6438645a81183722833c3f079e6ad4a5edcdc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:588

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1800

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:556

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "cstrike-online.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
253B

MD5
9df09e9265cd1e4cc651f52b9aa4c1c1

SHA1
9a609c00facd857bb159325ca8b100939bdd2073

SHA256
7016477d097a69d90ddf1c581c54290e7514b00f2883f51107cebf2937f3d93f

SHA512
12bded1d9cf3fd654223b53cc064ab3124e810e0b1850c85d4d87f98cef9f26a1623cb9bce8516f2cd3216f9aed7e38d30797a76c869850bb795668162c38911

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
101KB

MD5
1c4ff19e9ab12f56c31b2e9cfd4fa035

SHA1
c075bc7e3674cd0a56bc29ea612c403562c370d4

SHA256
64b748d433fc03549cce0d069df2da23198124fa087948df7947d82b51d42791

SHA512
b9c9cbfbbe2e89c963531cad0351ed666482d99957e7cca20bd5af9320f89e5f83f0e89788d1f9a05418a65f305eba89fdc0294e24731394aa23a0cb383fc87d

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
11KB

MD5
356bcdd2693b21c9699cee79696ddbbd

SHA1
fbcd89dba31cab0a1e60f1a550163b7b1118825a

SHA256
038c4659168dbe965511c016fec4dbe3beab157c39c7e4c37c2a0e3ae013cad4

SHA512
58fb6aa609c2dee9eaa91c35e28ef95fb6a6001c35a91eb766281906d188550736d16ee401fd5bcd8fcece91e836133ad5212a676e4c88c62714f21c1695d52f

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll

Filesize
101KB

MD5
1c4ff19e9ab12f56c31b2e9cfd4fa035

SHA1
c075bc7e3674cd0a56bc29ea612c403562c370d4

SHA256
64b748d433fc03549cce0d069df2da23198124fa087948df7947d82b51d42791

SHA512
b9c9cbfbbe2e89c963531cad0351ed666482d99957e7cca20bd5af9320f89e5f83f0e89788d1f9a05418a65f305eba89fdc0294e24731394aa23a0cb383fc87d

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
11KB

MD5
356bcdd2693b21c9699cee79696ddbbd

SHA1
fbcd89dba31cab0a1e60f1a550163b7b1118825a

SHA256
038c4659168dbe965511c016fec4dbe3beab157c39c7e4c37c2a0e3ae013cad4

SHA512
58fb6aa609c2dee9eaa91c35e28ef95fb6a6001c35a91eb766281906d188550736d16ee401fd5bcd8fcece91e836133ad5212a676e4c88c62714f21c1695d52f

Download Submit
memory/556-77-0x0000000000000000-mapping.dmp

Download
memory/588-66-0x0000000000000000-mapping.dmp

Download
memory/592-65-0x0000000000000000-mapping.dmp

Download
memory/816-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/816-61-0x0000000074D31000-0x0000000074D33000-memory.dmp

Filesize
8KB

Download
memory/816-60-0x0000000074EE1000-0x0000000074EE3000-memory.dmp

Filesize
8KB

Download
memory/908-63-0x0000000000000000-mapping.dmp

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1052-73-0x0000000000000000-mapping.dmp

Download
memory/1352-55-0x0000000000000000-mapping.dmp

Download
memory/1544-58-0x0000000000000000-mapping.dmp

Download
memory/1592-59-0x0000000000000000-mapping.dmp

Download
memory/1672-83-0x0000000000000000-mapping.dmp

Download
memory/1736-84-0x0000000000000000-mapping.dmp

Download
memory/1752-57-0x0000000000000000-mapping.dmp

Download
memory/1800-76-0x0000000000000000-mapping.dmp

Download
memory/1920-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads