266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
Size

1.9MB
MD5

68f740fdaa044220dccf3bbf8eb5e3a1
SHA1

2b93ae066b3d7eb344600f82deb802b00fd59c26
SHA256

266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db
SHA512

e43886967423ce28f7ea99d172639c12b157ef17695c633e9209ed28de19c78912e7b4e785534cce64e419f8d856c67e39d8f6cbfe7bb6dd7a6869be7e9255df

Score

8^/10

discovery exploit

Malware Config

Signatures

Contacts a large (1497) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

p2pseracher.exe

pid process

2016 p2pseracher.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

872 takeown.exe
1912 icacls.exe

pid	process
2016	p2pseracher.exe

pid	process
872	takeown.exe
1912	icacls.exe

Loads dropped DLL 7 IoCs

Processes:

266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exep2pseracher.exe

pid	process
1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
2016	p2pseracher.exe
2016	p2pseracher.exe
2016	p2pseracher.exe
2016	p2pseracher.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

872 takeown.exe
1912 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
872	takeown.exe
1912	icacls.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.execmd.exe

description	pid	process	target process
PID 1856 wrote to memory of 1708	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	cmd.exe
PID 1856 wrote to memory of 1708	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	cmd.exe
PID 1856 wrote to memory of 1708	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	cmd.exe
PID 1856 wrote to memory of 1708	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	cmd.exe
PID 1708 wrote to memory of 872	1708	cmd.exe	takeown.exe
PID 1708 wrote to memory of 872	1708	cmd.exe	takeown.exe
PID 1708 wrote to memory of 872	1708	cmd.exe	takeown.exe
PID 1708 wrote to memory of 872	1708	cmd.exe	takeown.exe
PID 1708 wrote to memory of 1912	1708	cmd.exe	icacls.exe
PID 1708 wrote to memory of 1912	1708	cmd.exe	icacls.exe
PID 1708 wrote to memory of 1912	1708	cmd.exe	icacls.exe
PID 1708 wrote to memory of 1912	1708	cmd.exe	icacls.exe
PID 1856 wrote to memory of 2016	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	p2pseracher.exe
PID 1856 wrote to memory of 2016	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	p2pseracher.exe
PID 1856 wrote to memory of 2016	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	p2pseracher.exe
PID 1856 wrote to memory of 2016	1856	266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe	p2pseracher.exe

C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
"C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe" && icacls "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1912

C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exe
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Network Service Scanning

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\P2P8.8\ATL71.DLL
Filesize
87KB

MD5
8f2097e8b174f38178570c611464935f

SHA1
86476819229f4bf00f32e5f0969e19c5b61d1b2a

SHA256
3f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457

SHA512
85f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\MSVCP71.dll
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\MSVCR71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\ahtype.txt
Filesize
148B

MD5
dbdae82aa18cc810f845b480ef204886

SHA1
8b1ccb98e1048363a7c5489e5728a1d9ec0f2395

SHA256
d3d8faf9fb5a320bb521c4541b7afa1b8bfa250a0e1482b46ef82a2def011a65

SHA512
d55647bb6ce857c7ac01186a06470aa3a6c320153bb09a04d40c320b3b67be2a877d836ff24ec270bc62b826af16b05d2953baf7a26f90de10f1a7d08c362a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\bootstrap.dat
Filesize
80KB

MD5
bb29d56057237c09d0cc94d81f839cc0

SHA1
08365410bc68a0e0864456b197854ec649b2410c

SHA256
a8fd877044b482df3c4717991ca35a87666c6c352052d293bd022dfe1d9600b4

SHA512
ee7c7eca1ee60bb919279aa26e3a196be4b14c5be58ae885b46eaa2640802090efe52e7d60ef558df19f582f216d9c64faa2e832104d534ca6cc8d83f0e5c7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\hdtype.txt
Filesize
104B

MD5
d5ae49de9da3f033e2a17127d58e2dda

SHA1
5161097f9c569c9cfde4d7fb5b9939abdbe9bb3f

SHA256
556bcb02fa8d4791435116278992fb5b0c1ddd4b553ea261e70dcbdb5c71b499

SHA512
c8a077892c77e52a55b22ac95b2bd76e2c897df7dee510db4c9a3f86cf27f36ec27c0afdeee3f44a5613534e2ab0b8fd23f03a282a220a849efb1562ec11ecb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\kads.cfg
Filesize
273B

MD5
074a6c84775316e147063f9b25971801

SHA1
34b2b84b087a77ac64b9030eb0e9c335dd77f71d

SHA256
cb2eb085edc781d4e86b54529772183f869055ff1f5c0ffa9a71de288fc01a4d

SHA512
63b343337f1ffd83a0d5709e9f2e8700a151625a6c2120a02ccf23651164d9936af394b4dded611a88188fe224fd8f0db9786dfaef0a1e7c56c1c9b14e30ef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\key_index.dat
Filesize
182B

MD5
6069a5e864f36f71d886296bc0ebd6dd

SHA1
8efe45aebd71f26babdf8a9bd1a1ea5c1149baf0

SHA256
282765e034809aa7192f781884baf60ca09c0a810c44d6987d76096542394d98

SHA512
cdf4ac472e9c65f69444e05428fc11b04afe482cb33162165550f5185487696c76a0cdc23559bb5e553fd2c7fa2ad00cf3bc822fced6a52818140536697f6d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\kwt.txt
Filesize
572B

MD5
821f719b1d8af507c6599d5e786750e3

SHA1
1464b7f8c400476c762b290cfd4e5cad9ae92743

SHA256
c42efb3c8a67cd00402301bdd7038eb6794729889059525b532aca816fb3817c

SHA512
ec9b8c4d4b85c09f6308d6fe0c593f9a227eb6ca297cd5d6f89ba9bd18dfcde46cd90078170cd896260561a11a0c199603c20e371f0c9f3adfdb9cf171c9d463

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\nodes.dat
Filesize
20KB

MD5
8e099ba205ec2a8141a84c0665e5b1b5

SHA1
2a96d1c498a02ff8dc27999b88658267abe219b9

SHA256
967f754d69e123b1fe71a1b27bb3dbc2dcba5d9608ebfa6fb3ce254fd45b4716

SHA512
7ac6046892fd2f86969307daec81004a808774d9cae2a6600f98b655fee502a7bfc54cfdccb223903b620cf53346d6a71304a5e1ecb13bd6a3fc9f1b66835bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\pltype.txt
Filesize
52KB

MD5
459f51c087462eebed727b94352576b4

SHA1
5557003f453c1a24b0aa1895a430309c5f1f30ab

SHA256
acab24854270743af8e361facdd40509460359515c41b1c3891fb03824f2b02f

SHA512
d444feaf40c4c670a68ef770ce30eb6ad12a234f4e1415c337ce768c03f68fdc39827f54c4ba9308adcf1f2f8dd16f3564383a5a196a88fb51ad8e8a6ed7b32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\server.met
Filesize
4KB

MD5
7599b95677a646d488c2abbb10a3ed39

SHA1
2f492859d8434670ece03687665fc34e46f68f48

SHA256
593a4e177f37e0c6bfbfad77a673e1d2777574a19852e4bb7056a409b5c69231

SHA512
8e1a20b287e5d06ce490740ecf45d8f360bd87423e9ed7a0457391904e202501e7b0c6a61d8454f0bffd3a435d9b48708ab5dc671c4c34ce261eefc42a05f057

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\userconfig.ini
Filesize
64B

MD5
9b7893cb82e57c63790198c161e7efd7

SHA1
31859ebfbbdbc01a46b13b7ce0df709b2e2effd4

SHA256
53cb6bef50ca005c79ee00006ccd76d979608961fdab4bad313e6f1bf71ed4a3

SHA512
2f624da973a8b247bfe183b75f34ed344b2fffddf2b05a32e7ea49c362fde2bd5b42762c9f4d836d25554f4533ac1a4057bbf7e24144bcdafa48b31344a7666b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\yhtype.txt
Filesize
1KB

MD5
a2d8f20289d8a80c77a690d1c5d08bf5

SHA1
ec9b997b1f8ec818f5350eb1057bcd26e2ada725

SHA256
5ada89c32b753fe3a55e2c44b6adfd57da2b32574f8fb15cb48789eec985e5c4

SHA512
b71ea9ccba4cdf7f6e93bc7d159f1a9aec257bca7f968cd6bf59a35e8bc2324a47497a1455f8534e57ed85fed4fa3d22e9e4c9a9185a4a33b97b487db6541db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2phelper.dll
Filesize
41KB

MD5
e1c3d405a869ee28408debce9dee8702

SHA1
cad86d0ff71e7bb1c7f4a2f463d732b5d35efee3

SHA256
15aefdd05514d88e1b35098bc131108685fee9a3c6031214f4dba2c4d4452414

SHA512
c93c08ce2e5a28596acd881f9702ae2f086bc14002e31844e5ee94697b6e545774464003c451d43d2b485e43b207ca7fc6c18996ab6154cf08a2f257ca9f6d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exe
Filesize
2.1MB

MD5
7db1f6a34a6b8e6f2b77ad35029515bd

SHA1
d9de7d17248a89cb465545a7216a2f2a8d1a6ef9

SHA256
75139e61b9e2a1f9fa607eda078c79c93d6ddc49456347ad2479e4bb082124eb

SHA512
f3bd6ee44a041d5475b98c09399846c97e160c727c7dae0f3446431c23ed4ba915f5ee8baa796a760f59c1e0218a73a5ad8124e67f7ce4ca9c59adf558379e51

Download Submit
\Users\Admin\AppData\Local\Temp\P2P8.8\MSVCP71.DLL
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
\Users\Admin\AppData\Local\Temp\P2P8.8\atl71.dll
Filesize
87KB

MD5
8f2097e8b174f38178570c611464935f

SHA1
86476819229f4bf00f32e5f0969e19c5b61d1b2a

SHA256
3f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457

SHA512
85f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904

Download Submit
\Users\Admin\AppData\Local\Temp\P2P8.8\msvcr71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
\Users\Admin\AppData\Local\Temp\P2P8.8\p2pHelper.dll
Filesize
41KB

MD5
e1c3d405a869ee28408debce9dee8702

SHA1
cad86d0ff71e7bb1c7f4a2f463d732b5d35efee3

SHA256
15aefdd05514d88e1b35098bc131108685fee9a3c6031214f4dba2c4d4452414

SHA512
c93c08ce2e5a28596acd881f9702ae2f086bc14002e31844e5ee94697b6e545774464003c451d43d2b485e43b207ca7fc6c18996ab6154cf08a2f257ca9f6d2e

Download Submit
\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exe
Filesize
2.1MB

MD5
7db1f6a34a6b8e6f2b77ad35029515bd

SHA1
d9de7d17248a89cb465545a7216a2f2a8d1a6ef9

SHA256
75139e61b9e2a1f9fa607eda078c79c93d6ddc49456347ad2479e4bb082124eb

SHA512
f3bd6ee44a041d5475b98c09399846c97e160c727c7dae0f3446431c23ed4ba915f5ee8baa796a760f59c1e0218a73a5ad8124e67f7ce4ca9c59adf558379e51

Download Submit
\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exe
Filesize
2.1MB

MD5
7db1f6a34a6b8e6f2b77ad35029515bd

SHA1
d9de7d17248a89cb465545a7216a2f2a8d1a6ef9

SHA256
75139e61b9e2a1f9fa607eda078c79c93d6ddc49456347ad2479e4bb082124eb

SHA512
f3bd6ee44a041d5475b98c09399846c97e160c727c7dae0f3446431c23ed4ba915f5ee8baa796a760f59c1e0218a73a5ad8124e67f7ce4ca9c59adf558379e51

Download Submit
\Users\Admin\AppData\Local\Temp\nsy7F02.tmp\nsExec.dll
Filesize
6KB

MD5
65dbdc0699a39d6e3c5e651c5c680bb5

SHA1
78cfe15265a6549cf4088e971c48a511c391c3c7

SHA256
3a5a67734b006ebb93e3a6cdf32caf20fe3c9cfdc25c8c872f4cea76b95aa6af

SHA512
c4f2f2a61f91b636c682533c388d872c1831c81c5691579d394a8768edf097e938737ac26f91dfec67dc7a157164981f3e8ebd35478654954f2c8e865fb9713e

Download Submit
memory/872-57-0x0000000000000000-mapping.dmp

Download
memory/1708-56-0x0000000000000000-mapping.dmp

Download
memory/1856-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

Filesize
8KB

Download
memory/1912-58-0x0000000000000000-mapping.dmp

Download
memory/2016-61-0x0000000000000000-mapping.dmp

Download