72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce

General

Target

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
Size

26KB
MD5

2f900ad4ecd1726c9001bc41a42073cc
SHA1

98eda90f954cd3dc68fe58e8b9738487256e66c3
SHA256

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce
SHA512

bb99fba927b802eb25ab0672b2eeefdfb56c18e763e7b202ef6bd0cc7a824583f00b6df5f947bd6fce23be957f4af0e133fbfefc6f7c553356c460badb19735a
SSDEEP

384:fiwLXY3y9eHBgVmtCFbxRbA+4okzNC6ybGMhTKNljsq+Vhnka0+itIY/JLjP4L3W:fixCg6tdRbA+4CBbhKNWqc++it7R23W

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4592 icacls.exe
3972 takeown.exe
4924 icacls.exe
444 takeown.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3972 takeown.exe
4924 icacls.exe
444 takeown.exe
4592 icacls.exe

pid	process
4592	icacls.exe
3972	takeown.exe
4924	icacls.exe
444	takeown.exe

pid	process
3972	takeown.exe
4924	icacls.exe
444	takeown.exe
4592	icacls.exe

Drops file in System32 directory 7 IoCs

Processes:

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
File opened for modification	C:\Windows\SysWOW64\1232E55.tmp	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
File opened for modification	C:\Windows\SysWOW64\123353C.tmp	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
File created	C:\Windows\SysWOW64\sxload.tmp	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
File opened for modification	C:\Windows\SysWOW64\123156D.tmp	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

Drops file in Program Files directory 1 IoCs

Processes:

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxmy.tmp 72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1316 taskkill.exe
4536 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxmy.tmp	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

pid	process
1316	taskkill.exe
4536	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

pid	process
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
Token: SeTakeOwnershipPrivilege	3972	takeown.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

pid	process
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 2276	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 2276	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 2276	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 2276 wrote to memory of 5024	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 5024	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 5024	2276	cmd.exe	cmd.exe
PID 5024 wrote to memory of 3972	5024	cmd.exe	takeown.exe
PID 5024 wrote to memory of 3972	5024	cmd.exe	takeown.exe
PID 5024 wrote to memory of 3972	5024	cmd.exe	takeown.exe
PID 2276 wrote to memory of 4924	2276	cmd.exe	icacls.exe
PID 2276 wrote to memory of 4924	2276	cmd.exe	icacls.exe
PID 2276 wrote to memory of 4924	2276	cmd.exe	icacls.exe
PID 4040 wrote to memory of 1764	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 1764	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 1764	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 3188	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 3188	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 3188	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 3188 wrote to memory of 3516	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3516	3188	cmd.exe	cmd.exe
PID 3188 wrote to memory of 3516	3188	cmd.exe	cmd.exe
PID 3516 wrote to memory of 444	3516	cmd.exe	takeown.exe
PID 3516 wrote to memory of 444	3516	cmd.exe	takeown.exe
PID 3516 wrote to memory of 444	3516	cmd.exe	takeown.exe
PID 3188 wrote to memory of 4592	3188	cmd.exe	icacls.exe
PID 3188 wrote to memory of 4592	3188	cmd.exe	icacls.exe
PID 3188 wrote to memory of 4592	3188	cmd.exe	icacls.exe
PID 4040 wrote to memory of 1316	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	taskkill.exe
PID 4040 wrote to memory of 1316	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	taskkill.exe
PID 4040 wrote to memory of 1316	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	taskkill.exe
PID 4040 wrote to memory of 4536	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	taskkill.exe
PID 4040 wrote to memory of 4536	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	taskkill.exe
PID 4040 wrote to memory of 4536	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	taskkill.exe
PID 4040 wrote to memory of 3204	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 3204	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe
PID 4040 wrote to memory of 3204	4040	72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe
"C:\Users\Admin\AppData\Local\Temp\72bb16b9c12138cdacbd260e8176acd8d2e4dee422c384e7251ffefa04cf6fce.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:444

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "soul.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
253B

MD5
dfa62139605a98aa1859c623a9aaf1ca

SHA1
917a4320fd269c31126cd069726218d0766f32b1

SHA256
75817b09fa299fa35a04be611efe35a237a6ce0b690d3f9d2fce838b33d6ba6e

SHA512
40e9e7ea282a036831dd81195b9703949abcc6d7052c0f272430dedf1ac9e3592f0cd97aa5b009306a88967b44bd45e01ec838f53819aec5bbae7f12e148c8bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\123156D.tmp

Filesize
192KB

MD5
8f22e17c9af9e95c329ef04e6c3b828b

SHA1
5bcad5676899fb75652c664d40943082e3f2819f

SHA256
b46cfd24d06e83a3404a4e29c511d7c5aed82bbfb9f353cd71fb0b4f6bda1a56

SHA512
fb8694ed8a3f4c35d32c7db2b6b5caa502ce1c298d69518120cfca981aab7ab19c03426a22aeb7d4fc9ee2071a021f5a029e6c12857db9407a173fc9e96342f4

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll

Filesize
192KB

MD5
aafe4cc189edd5a9808503eede104c85

SHA1
609dce661aff6d63e0a0f7bd8a4db024afeadfff

SHA256
fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5

SHA512
cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll

Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll

Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
memory/444-142-0x0000000000000000-mapping.dmp

Download
memory/1316-148-0x0000000000000000-mapping.dmp

Download
memory/1764-138-0x0000000000000000-mapping.dmp

Download
memory/2276-132-0x0000000000000000-mapping.dmp

Download
memory/3188-139-0x0000000000000000-mapping.dmp

Download
memory/3204-150-0x0000000000000000-mapping.dmp

Download
memory/3516-141-0x0000000000000000-mapping.dmp

Download
memory/3972-135-0x0000000000000000-mapping.dmp

Download
memory/4536-149-0x0000000000000000-mapping.dmp

Download
memory/4592-143-0x0000000000000000-mapping.dmp

Download
memory/4924-136-0x0000000000000000-mapping.dmp

Download
memory/5024-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads