Analysis
-
max time kernel
91s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 14:45
Static task
static1
Behavioral task
behavioral1
Sample
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
Resource
win7-20221111-en
General
-
Target
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe
-
Size
29KB
-
MD5
e61f2a51d5a73f72d233a22f0e0f68e0
-
SHA1
4b8316d949b5d1af88db2d8fe78d3e6dc77e685c
-
SHA256
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef
-
SHA512
bbb471b0116d64cd8d2be8f3f8288274b5d775ae08d18256b46deb034f1929cf54f31603b4df8f1531fa9181875ae173320c1faa3c28a88ff8b6e7f19d36a4ce
-
SSDEEP
768:cxCg6GBEaQ0XhoM1hy6S5n00gcAycuYlA8H6v:cxC/GBm0SM1hy6SG0gNycudF
Malware Config
Signatures
-
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 3516 takeown.exe 3372 icacls.exe 876 takeown.exe 1740 icacls.exe 4920 takeown.exe 1364 icacls.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 3372 icacls.exe 876 takeown.exe 1740 icacls.exe 4920 takeown.exe 1364 icacls.exe 3516 takeown.exe -
Drops file in System32 directory 7 IoCs
Processes:
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\iphlpapi.dll e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe File opened for modification C:\Windows\SysWOW64\123BA5E.tmp e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe File opened for modification C:\Windows\SysWOW64\123CB18.tmp e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe File created C:\Windows\SysWOW64\sxload.tmp e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe File opened for modification C:\Windows\SysWOW64\123AEC4.tmp e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe -
Drops file in Program Files directory 1 IoCs
Processes:
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxmy.tmp e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 4076 taskkill.exe 1768 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exepid process 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exetakeown.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe Token: SeTakeOwnershipPrivilege 3516 takeown.exe Token: SeDebugPrivilege 4076 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exepid process 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3884 wrote to memory of 2100 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 2100 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 2100 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 2100 wrote to memory of 4244 2100 cmd.exe cmd.exe PID 2100 wrote to memory of 4244 2100 cmd.exe cmd.exe PID 2100 wrote to memory of 4244 2100 cmd.exe cmd.exe PID 4244 wrote to memory of 3516 4244 cmd.exe takeown.exe PID 4244 wrote to memory of 3516 4244 cmd.exe takeown.exe PID 4244 wrote to memory of 3516 4244 cmd.exe takeown.exe PID 2100 wrote to memory of 3372 2100 cmd.exe icacls.exe PID 2100 wrote to memory of 3372 2100 cmd.exe icacls.exe PID 2100 wrote to memory of 3372 2100 cmd.exe icacls.exe PID 3884 wrote to memory of 632 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 632 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 632 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 632 wrote to memory of 1900 632 cmd.exe cmd.exe PID 632 wrote to memory of 1900 632 cmd.exe cmd.exe PID 632 wrote to memory of 1900 632 cmd.exe cmd.exe PID 1900 wrote to memory of 876 1900 cmd.exe takeown.exe PID 1900 wrote to memory of 876 1900 cmd.exe takeown.exe PID 1900 wrote to memory of 876 1900 cmd.exe takeown.exe PID 632 wrote to memory of 1740 632 cmd.exe icacls.exe PID 632 wrote to memory of 1740 632 cmd.exe icacls.exe PID 632 wrote to memory of 1740 632 cmd.exe icacls.exe PID 3884 wrote to memory of 4972 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 4972 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 4972 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 4972 wrote to memory of 3680 4972 cmd.exe cmd.exe PID 4972 wrote to memory of 3680 4972 cmd.exe cmd.exe PID 4972 wrote to memory of 3680 4972 cmd.exe cmd.exe PID 3680 wrote to memory of 4920 3680 cmd.exe takeown.exe PID 3680 wrote to memory of 4920 3680 cmd.exe takeown.exe PID 3680 wrote to memory of 4920 3680 cmd.exe takeown.exe PID 4972 wrote to memory of 1364 4972 cmd.exe icacls.exe PID 4972 wrote to memory of 1364 4972 cmd.exe icacls.exe PID 4972 wrote to memory of 1364 4972 cmd.exe icacls.exe PID 3884 wrote to memory of 4076 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe taskkill.exe PID 3884 wrote to memory of 4076 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe taskkill.exe PID 3884 wrote to memory of 4076 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe taskkill.exe PID 3884 wrote to memory of 1768 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe taskkill.exe PID 3884 wrote to memory of 1768 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe taskkill.exe PID 3884 wrote to memory of 1768 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe taskkill.exe PID 3884 wrote to memory of 564 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 564 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe PID 3884 wrote to memory of 564 3884 e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe"C:\Users\Admin\AppData\Local\Temp\e27c3a1c932d7a7ad7df5ca65fb06a73caaa24c12bfba50e466f597d7fd5e3ef.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "soul.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "soul.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
253B
MD5a585ef13f0cb8cb72f430f6f36262b89
SHA1431b0bbaa52f8a58aefe800996646f0854dc51e1
SHA2561ae31ab07f3717b019a2495498baa63b253230ccde64756e6b718a811d162bc1
SHA51263482056d1dea223c221989c6e546d2953ec76cc999c87c383ecc57fcaa4f248967cc4ea7e3c4eb10b4e3ceccebfb740db796e3dc3b4f76e09614fd949a3e12d
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Windows\SysWOW64\dllcache\iphlpapi.dllFilesize
192KB
MD58f22e17c9af9e95c329ef04e6c3b828b
SHA15bcad5676899fb75652c664d40943082e3f2819f
SHA256b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56
SHA512fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4
-
C:\Windows\SysWOW64\dllcache\rasadhlp.dllFilesize
12KB
MD5d504739e761a70015630c2a634ddd79f
SHA15a1a9b3557fa9a1702135de551196b9cbb87c74b
SHA256deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208
SHA5124d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd
-
C:\Windows\SysWOW64\iphlpapi.dllFilesize
192KB
MD58f22e17c9af9e95c329ef04e6c3b828b
SHA15bcad5676899fb75652c664d40943082e3f2819f
SHA256b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56
SHA512fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4
-
C:\Windows\SysWOW64\rasadhlp.dllFilesize
12KB
MD5d504739e761a70015630c2a634ddd79f
SHA15a1a9b3557fa9a1702135de551196b9cbb87c74b
SHA256deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208
SHA5124d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd
-
memory/564-153-0x0000000000000000-mapping.dmp
-
memory/632-137-0x0000000000000000-mapping.dmp
-
memory/876-140-0x0000000000000000-mapping.dmp
-
memory/1364-148-0x0000000000000000-mapping.dmp
-
memory/1740-141-0x0000000000000000-mapping.dmp
-
memory/1768-152-0x0000000000000000-mapping.dmp
-
memory/1900-139-0x0000000000000000-mapping.dmp
-
memory/2100-132-0x0000000000000000-mapping.dmp
-
memory/3372-136-0x0000000000000000-mapping.dmp
-
memory/3516-135-0x0000000000000000-mapping.dmp
-
memory/3680-146-0x0000000000000000-mapping.dmp
-
memory/4076-151-0x0000000000000000-mapping.dmp
-
memory/4244-134-0x0000000000000000-mapping.dmp
-
memory/4920-147-0x0000000000000000-mapping.dmp
-
memory/4972-144-0x0000000000000000-mapping.dmp