c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9

General

Target

c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe
Size

134KB
MD5

cf174472200c2c0205782d352735b594
SHA1

1e462e8c90aaec05f6dfbb3d91e5b8e5fd610517
SHA256

c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9
SHA512

3293c8eb7d5515e100c17febebab81065f474d82b314e1cdc0e65d3a4aea789ecf412ca0807e5a2ba518593697bfe1547553133696c8c7c1a21662a31a4be3c8
SSDEEP

3072:kV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPLipC+r:Jt5hBPi0BW69hd1MMdxPe9N9uA069TBc

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 20 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
1076	takeown.exe
284	takeown.exe
1876	icacls.exe
844	icacls.exe
872	icacls.exe
1072	takeown.exe
704	icacls.exe
1696	icacls.exe
1400	icacls.exe
1260	takeown.exe
1708	takeown.exe
1972	icacls.exe
1924	icacls.exe
1292	icacls.exe
692	takeown.exe
1444	takeown.exe
1576	takeown.exe
932	icacls.exe
1488	takeown.exe
1968	takeown.exe

Modifies file permissions 1 TTPs 20 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exe

pid	process
1292	icacls.exe
932	icacls.exe
704	icacls.exe
1260	takeown.exe
844	icacls.exe
1708	takeown.exe
872	icacls.exe
1924	icacls.exe
1876	icacls.exe
1972	icacls.exe
284	takeown.exe
1488	takeown.exe
1076	takeown.exe
1072	takeown.exe
1968	takeown.exe
692	takeown.exe
1444	takeown.exe
1576	takeown.exe
1696	icacls.exe
1400	icacls.exe

Drops file in Windows directory 11 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\Boot\DVD\EFI\en-US\efisys.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\boot.sdi	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\it-IT\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\boot.sdi	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\BCD	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\etfsboot.com	cmd.exe
File opened for modification	C:\Windows\Boot\DVD\PCAT\ja-JP\bootfix.bin	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1076	takeown.exe
Token: SeTakeOwnershipPrivilege	1444	takeown.exe
Token: SeTakeOwnershipPrivilege	284	takeown.exe
Token: SeTakeOwnershipPrivilege	1072	takeown.exe
Token: SeTakeOwnershipPrivilege	1576	takeown.exe
Token: SeTakeOwnershipPrivilege	1488	takeown.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	692	takeown.exe
Token: SeTakeOwnershipPrivilege	1260	takeown.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.execmd.exe

description	pid	process	target process
PID 972 wrote to memory of 280	972	c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe	cmd.exe
PID 972 wrote to memory of 280	972	c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe	cmd.exe
PID 972 wrote to memory of 280	972	c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe	cmd.exe
PID 280 wrote to memory of 1076	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1076	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1076	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 844	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 844	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 844	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1708	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1708	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1708	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 872	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 872	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 872	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1444	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1444	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1444	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1972	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1972	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1972	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 284	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 284	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 284	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1924	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1924	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1924	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1072	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1072	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1072	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1292	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1292	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1292	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1576	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1576	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1576	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 932	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 932	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 932	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1488	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1488	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1488	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 704	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 704	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 704	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1968	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1968	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1968	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1696	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1696	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1696	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 692	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 692	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 692	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1400	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1400	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1400	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1260	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1260	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1260	280	cmd.exe	takeown.exe
PID 280 wrote to memory of 1876	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1876	280	cmd.exe	icacls.exe
PID 280 wrote to memory of 1876	280	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe
"C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3535.tmp\3536.tmp\3537.bat C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntoskrnl.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844

C:\Windows\system32\takeown.exe
takeown -r -f -skipsl "C:\Windows\Boot"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1708

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\Boot" /t /c /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\bfsvc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1972

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\kernel32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1924

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\advapi32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1292

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\user32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:932

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\gdi32.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:704

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\win32k.sys"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1696

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\ntdll.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1400

C:\Windows\system32\takeown.exe
takeown -f "C:\Windows\System32\hall.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\icacls.exe
ICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1876

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3535.tmp\3536.tmp\3537.bat
Filesize
1KB

MD5
e666a33a40b3660f6f1ac5ce390d856a

SHA1
9ae70be123a8a7837c314030c06202ee61cbf52e

SHA256
8c50b2f52383a41d0186436281f4f804144ef1dcd12dd638840e32d4cc2c6488

SHA512
69c59de096b6ebc30629b8d63a8fab1870e3a466c8d36edd31384ed6f0c19e50b17ed56b9779960513a2da2a9dedde4d27e755bb084499220fda719dfb74be5d

Download Submit
memory/280-55-0x0000000000000000-mapping.dmp

Download
memory/284-63-0x0000000000000000-mapping.dmp

Download
memory/692-73-0x0000000000000000-mapping.dmp

Download
memory/704-70-0x0000000000000000-mapping.dmp

Download
memory/844-58-0x0000000000000000-mapping.dmp

Download
memory/872-60-0x0000000000000000-mapping.dmp

Download
memory/932-68-0x0000000000000000-mapping.dmp

Download
memory/972-54-0x000007FEFB971000-0x000007FEFB973000-memory.dmp

Filesize
8KB

Download
memory/1072-65-0x0000000000000000-mapping.dmp

Download
memory/1076-57-0x0000000000000000-mapping.dmp

Download
memory/1260-75-0x0000000000000000-mapping.dmp

Download
memory/1292-66-0x0000000000000000-mapping.dmp

Download
memory/1400-74-0x0000000000000000-mapping.dmp

Download
memory/1444-61-0x0000000000000000-mapping.dmp

Download
memory/1488-69-0x0000000000000000-mapping.dmp

Download
memory/1576-67-0x0000000000000000-mapping.dmp

Download
memory/1696-72-0x0000000000000000-mapping.dmp

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download
memory/1876-76-0x0000000000000000-mapping.dmp

Download
memory/1924-64-0x0000000000000000-mapping.dmp

Download
memory/1968-71-0x0000000000000000-mapping.dmp

Download
memory/1972-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads