e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef

General

Target

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
Size

29KB
MD5

e61f2a51d5a73f72d233a22f0e0f68e0
SHA1

4b8316d949b5d1af88db2d8fe78d3e6dc77e685c
SHA256

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef
SHA512

bbb471b0116d64cd8d2be8f3f8288274b5d775ae08d18256b46deb034f1929cf54f31603b4df8f1531fa9181875ae173320c1faa3c28a88ff8b6e7f19d36a4ce
SSDEEP

768:cxCg6GBEaQ0XhoM1hy6S5n00gcAycuYlA8H6v:cxC/GBm0SM1hy6SG0gNycudF

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

3516 takeown.exe
3372 icacls.exe
876 takeown.exe
1740 icacls.exe
4920 takeown.exe
1364 icacls.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

3372 icacls.exe
876 takeown.exe
1740 icacls.exe
4920 takeown.exe
1364 icacls.exe
3516 takeown.exe

pid	process
3516	takeown.exe
3372	icacls.exe
876	takeown.exe
1740	icacls.exe
4920	takeown.exe
1364	icacls.exe

pid	process
3372	icacls.exe
876	takeown.exe
1740	icacls.exe
4920	takeown.exe
1364	icacls.exe
3516	takeown.exe

Drops file in System32 directory 7 IoCs

Processes:

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
File opened for modification	C:\Windows\SysWOW64\123BA5E.tmp	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
File opened for modification	C:\Windows\SysWOW64\123CB18.tmp	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
File created	C:\Windows\SysWOW64\sxload.tmp	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
File opened for modification	C:\Windows\SysWOW64\123AEC4.tmp	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

Drops file in Program Files directory 1 IoCs

Processes:

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmy.tmp e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4076 taskkill.exe
1768 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmy.tmp	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

pid	process
4076	taskkill.exe
1768	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

pid	process
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
Token: SeTakeOwnershipPrivilege	3516	takeown.exe
Token: SeDebugPrivilege	4076	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

pid	process
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3884 wrote to memory of 2100	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 2100	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 2100	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 2100 wrote to memory of 4244	2100	cmd.exe	cmd.exe
PID 2100 wrote to memory of 4244	2100	cmd.exe	cmd.exe
PID 2100 wrote to memory of 4244	2100	cmd.exe	cmd.exe
PID 4244 wrote to memory of 3516	4244	cmd.exe	takeown.exe
PID 4244 wrote to memory of 3516	4244	cmd.exe	takeown.exe
PID 4244 wrote to memory of 3516	4244	cmd.exe	takeown.exe
PID 2100 wrote to memory of 3372	2100	cmd.exe	icacls.exe
PID 2100 wrote to memory of 3372	2100	cmd.exe	icacls.exe
PID 2100 wrote to memory of 3372	2100	cmd.exe	icacls.exe
PID 3884 wrote to memory of 632	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 632	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 632	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 632 wrote to memory of 1900	632	cmd.exe	cmd.exe
PID 632 wrote to memory of 1900	632	cmd.exe	cmd.exe
PID 632 wrote to memory of 1900	632	cmd.exe	cmd.exe
PID 1900 wrote to memory of 876	1900	cmd.exe	takeown.exe
PID 1900 wrote to memory of 876	1900	cmd.exe	takeown.exe
PID 1900 wrote to memory of 876	1900	cmd.exe	takeown.exe
PID 632 wrote to memory of 1740	632	cmd.exe	icacls.exe
PID 632 wrote to memory of 1740	632	cmd.exe	icacls.exe
PID 632 wrote to memory of 1740	632	cmd.exe	icacls.exe
PID 3884 wrote to memory of 4972	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 4972	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 4972	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 4972 wrote to memory of 3680	4972	cmd.exe	cmd.exe
PID 4972 wrote to memory of 3680	4972	cmd.exe	cmd.exe
PID 4972 wrote to memory of 3680	4972	cmd.exe	cmd.exe
PID 3680 wrote to memory of 4920	3680	cmd.exe	takeown.exe
PID 3680 wrote to memory of 4920	3680	cmd.exe	takeown.exe
PID 3680 wrote to memory of 4920	3680	cmd.exe	takeown.exe
PID 4972 wrote to memory of 1364	4972	cmd.exe	icacls.exe
PID 4972 wrote to memory of 1364	4972	cmd.exe	icacls.exe
PID 4972 wrote to memory of 1364	4972	cmd.exe	icacls.exe
PID 3884 wrote to memory of 4076	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	taskkill.exe
PID 3884 wrote to memory of 4076	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	taskkill.exe
PID 3884 wrote to memory of 4076	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	taskkill.exe
PID 3884 wrote to memory of 1768	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	taskkill.exe
PID 3884 wrote to memory of 1768	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	taskkill.exe
PID 3884 wrote to memory of 1768	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	taskkill.exe
PID 3884 wrote to memory of 564	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 564	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe
PID 3884 wrote to memory of 564	3884	e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
"C:\Users\Admin\AppData\Local\Temp\e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:876

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4920

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
253B

MD5
a585ef13f0cb8cb72f430f6f36262b89

SHA1
431b0bbaa52f8a58aefe800996646f0854dc51e1

SHA256
1ae31ab07f3717b019a2495498baa63b253230ccde64756e6b718a811d162bc1

SHA512
63482056d1dea223c221989c6e546d2953ec76cc999c87c383ecc57fcaa4f248967cc4ea7e3c4eb10b4e3ceccebfb740db796e3dc3b4f76e09614fd949a3e12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
C:\Windows\SysWOW64\iphlpapi.dll
Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
memory/564-153-0x0000000000000000-mapping.dmp

Download
memory/632-137-0x0000000000000000-mapping.dmp

Download
memory/876-140-0x0000000000000000-mapping.dmp

Download
memory/1364-148-0x0000000000000000-mapping.dmp

Download
memory/1740-141-0x0000000000000000-mapping.dmp

Download
memory/1768-152-0x0000000000000000-mapping.dmp

Download
memory/1900-139-0x0000000000000000-mapping.dmp

Download
memory/2100-132-0x0000000000000000-mapping.dmp

Download
memory/3372-136-0x0000000000000000-mapping.dmp

Download
memory/3516-135-0x0000000000000000-mapping.dmp

Download
memory/3680-146-0x0000000000000000-mapping.dmp

Download
memory/4076-151-0x0000000000000000-mapping.dmp

Download
memory/4244-134-0x0000000000000000-mapping.dmp

Download
memory/4920-147-0x0000000000000000-mapping.dmp

Download
memory/4972-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads