Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 14:52
Static task
static1
Behavioral task
behavioral1
Sample
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
Resource
win7-20221111-en
General
-
Target
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
-
Size
26KB
-
MD5
2f900ad4ecd1726c9001bc41a42073cc
-
SHA1
98eda90f954cd3dc68fe58e8b9738487256e66c3
-
SHA256
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce
-
SHA512
bb99fba927b802eb25ab0672b2eeefdfb56c18e763e7b202ef6bd0cc7a824583f00b6df5f947bd6fce23be957f4af0e133fbfefc6f7c553356c460badb19735a
-
SSDEEP
384:fiwLXY3y9eHBgVmtCFbxRbA+4okzNC6ybGMhTKNljsq+Vhnka0+itIY/JLjP4L3W:fixCg6tdRbA+4CBbhKNWqc++it7R23W
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4592 icacls.exe 3972 takeown.exe 4924 icacls.exe 444 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3972 takeown.exe 4924 icacls.exe 444 takeown.exe 4592 icacls.exe -
Drops file in System32 directory 7 IoCs
Processes:
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\iphlpapi.dll 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe File opened for modification C:\Windows\SysWOW64\1232E55.tmp 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe File opened for modification C:\Windows\SysWOW64\123353C.tmp 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe File created C:\Windows\SysWOW64\sxload.tmp 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe File opened for modification C:\Windows\SysWOW64\123156D.tmp 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe -
Drops file in Program Files directory 1 IoCs
Processes:
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxmy.tmp 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1316 taskkill.exe 4536 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exepid process 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exetakeown.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe Token: SeTakeOwnershipPrivilege 3972 takeown.exe Token: SeDebugPrivilege 1316 taskkill.exe Token: SeDebugPrivilege 4536 taskkill.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exepid process 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4040 wrote to memory of 2276 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 2276 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 2276 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 2276 wrote to memory of 5024 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 5024 2276 cmd.exe cmd.exe PID 2276 wrote to memory of 5024 2276 cmd.exe cmd.exe PID 5024 wrote to memory of 3972 5024 cmd.exe takeown.exe PID 5024 wrote to memory of 3972 5024 cmd.exe takeown.exe PID 5024 wrote to memory of 3972 5024 cmd.exe takeown.exe PID 2276 wrote to memory of 4924 2276 cmd.exe icacls.exe PID 2276 wrote to memory of 4924 2276 cmd.exe icacls.exe PID 2276 wrote to memory of 4924 2276 cmd.exe icacls.exe PID 4040 wrote to memory of 1764 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 1764 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 1764 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 3188 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 3188 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 3188 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 3188 wrote to memory of 3516 3188 cmd.exe cmd.exe PID 3188 wrote to memory of 3516 3188 cmd.exe cmd.exe PID 3188 wrote to memory of 3516 3188 cmd.exe cmd.exe PID 3516 wrote to memory of 444 3516 cmd.exe takeown.exe PID 3516 wrote to memory of 444 3516 cmd.exe takeown.exe PID 3516 wrote to memory of 444 3516 cmd.exe takeown.exe PID 3188 wrote to memory of 4592 3188 cmd.exe icacls.exe PID 3188 wrote to memory of 4592 3188 cmd.exe icacls.exe PID 3188 wrote to memory of 4592 3188 cmd.exe icacls.exe PID 4040 wrote to memory of 1316 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe taskkill.exe PID 4040 wrote to memory of 1316 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe taskkill.exe PID 4040 wrote to memory of 1316 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe taskkill.exe PID 4040 wrote to memory of 4536 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe taskkill.exe PID 4040 wrote to memory of 4536 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe taskkill.exe PID 4040 wrote to memory of 4536 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe taskkill.exe PID 4040 wrote to memory of 3204 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 3204 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe PID 4040 wrote to memory of 3204 4040 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe"C:\Users\Admin\AppData\Local\Temp\72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3972 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:444 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4592 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "soul.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "soul.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵PID:3204
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253B
MD5dfa62139605a98aa1859c623a9aaf1ca
SHA1917a4320fd269c31126cd069726218d0766f32b1
SHA25675817b09fa299fa35a04be611efe35a237a6ce0b690d3f9d2fce838b33d6ba6e
SHA51240e9e7ea282a036831dd81195b9703949abcc6d7052c0f272430dedf1ac9e3592f0cd97aa5b009306a88967b44bd45e01ec838f53819aec5bbae7f12e148c8bb
-
Filesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
Filesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
Filesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
Filesize
192KB
MD58f22e17c9af9e95c329ef04e6c3b828b
SHA15bcad5676899fb75652c664d40943082e3f2819f
SHA256b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56
SHA512fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4
-
Filesize
192KB
MD5aafe4cc189edd5a9808503eede104c85
SHA1609dce661aff6d63e0a0f7bd8a4db024afeadfff
SHA256fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5
SHA512cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea
-
Filesize
12KB
MD5d504739e761a70015630c2a634ddd79f
SHA15a1a9b3557fa9a1702135de551196b9cbb87c74b
SHA256deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208
SHA5124d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd
-
Filesize
12KB
MD5d504739e761a70015630c2a634ddd79f
SHA15a1a9b3557fa9a1702135de551196b9cbb87c74b
SHA256deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208
SHA5124d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd