Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:22
Static task
static1
Behavioral task
behavioral1
Sample
266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
Resource
win7-20220414-en
General
-
Target
266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe
-
Size
1.9MB
-
MD5
68f740fdaa044220dccf3bbf8eb5e3a1
-
SHA1
2b93ae066b3d7eb344600f82deb802b00fd59c26
-
SHA256
266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db
-
SHA512
e43886967423ce28f7ea99d172639c12b157ef17695c633e9209ed28de19c78912e7b4e785534cce64e419f8d856c67e39d8f6cbfe7bb6dd7a6869be7e9255df
Malware Config
Signatures
-
Contacts a large (1955) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
p2pseracher.exepid process 744 p2pseracher.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1252 takeown.exe 400 icacls.exe -
Loads dropped DLL 5 IoCs
Processes:
266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exep2pseracher.exepid process 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe 744 p2pseracher.exe 744 p2pseracher.exe 744 p2pseracher.exe 744 p2pseracher.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1252 takeown.exe 400 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
p2pseracher.exepid process 744 p2pseracher.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.execmd.exedescription pid process target process PID 4908 wrote to memory of 5108 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe cmd.exe PID 4908 wrote to memory of 5108 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe cmd.exe PID 4908 wrote to memory of 5108 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe cmd.exe PID 5108 wrote to memory of 1252 5108 cmd.exe takeown.exe PID 5108 wrote to memory of 1252 5108 cmd.exe takeown.exe PID 5108 wrote to memory of 1252 5108 cmd.exe takeown.exe PID 5108 wrote to memory of 400 5108 cmd.exe icacls.exe PID 5108 wrote to memory of 400 5108 cmd.exe icacls.exe PID 5108 wrote to memory of 400 5108 cmd.exe icacls.exe PID 4908 wrote to memory of 744 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe p2pseracher.exe PID 4908 wrote to memory of 744 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe p2pseracher.exe PID 4908 wrote to memory of 744 4908 266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe p2pseracher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe"C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe" && icacls "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\Temp\266c99d5407fe73ceba95de2a075c0cb9c99dc5cc39f5f672b79bb4a0bc314db.exe" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exeC:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\ATL71.DLLFilesize
87KB
MD58f2097e8b174f38178570c611464935f
SHA186476819229f4bf00f32e5f0969e19c5b61d1b2a
SHA2563f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457
SHA51285f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\MSVCP71.DLLFilesize
488KB
MD5561fa2abb31dfa8fab762145f81667c2
SHA1c8ccb04eedac821a13fae314a2435192860c72b8
SHA256df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA5127d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\MSVCP71.dllFilesize
488KB
MD5561fa2abb31dfa8fab762145f81667c2
SHA1c8ccb04eedac821a13fae314a2435192860c72b8
SHA256df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b
SHA5127d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\MSVCR71.dllFilesize
340KB
MD586f1895ae8c5e8b17d99ece768a70732
SHA1d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA2568094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA5123b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\atl71.dllFilesize
87KB
MD58f2097e8b174f38178570c611464935f
SHA186476819229f4bf00f32e5f0969e19c5b61d1b2a
SHA2563f25e7b097b65eaf82a6d5b58646dff38ca19347664f40c2b8a409b9d6939457
SHA51285f60b00b4d2e7d5047d4d0f1b834c23073797fcaea0e14161baac9a7ec719d79782a17ba6aa8da55b933c89b3d94c89696da194c3cf7170c746c8bab7e38904
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\ahtype.txtFilesize
148B
MD5dbdae82aa18cc810f845b480ef204886
SHA18b1ccb98e1048363a7c5489e5728a1d9ec0f2395
SHA256d3d8faf9fb5a320bb521c4541b7afa1b8bfa250a0e1482b46ef82a2def011a65
SHA512d55647bb6ce857c7ac01186a06470aa3a6c320153bb09a04d40c320b3b67be2a877d836ff24ec270bc62b826af16b05d2953baf7a26f90de10f1a7d08c362a05
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\bootstrap.datFilesize
80KB
MD5bb29d56057237c09d0cc94d81f839cc0
SHA108365410bc68a0e0864456b197854ec649b2410c
SHA256a8fd877044b482df3c4717991ca35a87666c6c352052d293bd022dfe1d9600b4
SHA512ee7c7eca1ee60bb919279aa26e3a196be4b14c5be58ae885b46eaa2640802090efe52e7d60ef558df19f582f216d9c64faa2e832104d534ca6cc8d83f0e5c7ae
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\hdtype.txtFilesize
104B
MD5d5ae49de9da3f033e2a17127d58e2dda
SHA15161097f9c569c9cfde4d7fb5b9939abdbe9bb3f
SHA256556bcb02fa8d4791435116278992fb5b0c1ddd4b553ea261e70dcbdb5c71b499
SHA512c8a077892c77e52a55b22ac95b2bd76e2c897df7dee510db4c9a3f86cf27f36ec27c0afdeee3f44a5613534e2ab0b8fd23f03a282a220a849efb1562ec11ecb1
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\kads.cfgFilesize
273B
MD5074a6c84775316e147063f9b25971801
SHA134b2b84b087a77ac64b9030eb0e9c335dd77f71d
SHA256cb2eb085edc781d4e86b54529772183f869055ff1f5c0ffa9a71de288fc01a4d
SHA51263b343337f1ffd83a0d5709e9f2e8700a151625a6c2120a02ccf23651164d9936af394b4dded611a88188fe224fd8f0db9786dfaef0a1e7c56c1c9b14e30ef2b
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\key_index.datFilesize
182B
MD56069a5e864f36f71d886296bc0ebd6dd
SHA18efe45aebd71f26babdf8a9bd1a1ea5c1149baf0
SHA256282765e034809aa7192f781884baf60ca09c0a810c44d6987d76096542394d98
SHA512cdf4ac472e9c65f69444e05428fc11b04afe482cb33162165550f5185487696c76a0cdc23559bb5e553fd2c7fa2ad00cf3bc822fced6a52818140536697f6d80
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\kwt.txtFilesize
572B
MD5821f719b1d8af507c6599d5e786750e3
SHA11464b7f8c400476c762b290cfd4e5cad9ae92743
SHA256c42efb3c8a67cd00402301bdd7038eb6794729889059525b532aca816fb3817c
SHA512ec9b8c4d4b85c09f6308d6fe0c593f9a227eb6ca297cd5d6f89ba9bd18dfcde46cd90078170cd896260561a11a0c199603c20e371f0c9f3adfdb9cf171c9d463
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\nodes.datFilesize
20KB
MD58e099ba205ec2a8141a84c0665e5b1b5
SHA12a96d1c498a02ff8dc27999b88658267abe219b9
SHA256967f754d69e123b1fe71a1b27bb3dbc2dcba5d9608ebfa6fb3ce254fd45b4716
SHA5127ac6046892fd2f86969307daec81004a808774d9cae2a6600f98b655fee502a7bfc54cfdccb223903b620cf53346d6a71304a5e1ecb13bd6a3fc9f1b66835bc5
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\pltype.txtFilesize
52KB
MD5459f51c087462eebed727b94352576b4
SHA15557003f453c1a24b0aa1895a430309c5f1f30ab
SHA256acab24854270743af8e361facdd40509460359515c41b1c3891fb03824f2b02f
SHA512d444feaf40c4c670a68ef770ce30eb6ad12a234f4e1415c337ce768c03f68fdc39827f54c4ba9308adcf1f2f8dd16f3564383a5a196a88fb51ad8e8a6ed7b32e
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\server.metFilesize
4KB
MD57599b95677a646d488c2abbb10a3ed39
SHA12f492859d8434670ece03687665fc34e46f68f48
SHA256593a4e177f37e0c6bfbfad77a673e1d2777574a19852e4bb7056a409b5c69231
SHA5128e1a20b287e5d06ce490740ecf45d8f360bd87423e9ed7a0457391904e202501e7b0c6a61d8454f0bffd3a435d9b48708ab5dc671c4c34ce261eefc42a05f057
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\userconfig.iniFilesize
64B
MD59b7893cb82e57c63790198c161e7efd7
SHA131859ebfbbdbc01a46b13b7ce0df709b2e2effd4
SHA25653cb6bef50ca005c79ee00006ccd76d979608961fdab4bad313e6f1bf71ed4a3
SHA5122f624da973a8b247bfe183b75f34ed344b2fffddf2b05a32e7ea49c362fde2bd5b42762c9f4d836d25554f4533ac1a4057bbf7e24144bcdafa48b31344a7666b
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\config\yhtype.txtFilesize
1KB
MD5a2d8f20289d8a80c77a690d1c5d08bf5
SHA1ec9b997b1f8ec818f5350eb1057bcd26e2ada725
SHA2565ada89c32b753fe3a55e2c44b6adfd57da2b32574f8fb15cb48789eec985e5c4
SHA512b71ea9ccba4cdf7f6e93bc7d159f1a9aec257bca7f968cd6bf59a35e8bc2324a47497a1455f8534e57ed85fed4fa3d22e9e4c9a9185a4a33b97b487db6541db1
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\msvcr71.dllFilesize
340KB
MD586f1895ae8c5e8b17d99ece768a70732
SHA1d5502a1d00787d68f548ddeebbde1eca5e2b38ca
SHA2568094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe
SHA5123b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pHelper.dllFilesize
41KB
MD5e1c3d405a869ee28408debce9dee8702
SHA1cad86d0ff71e7bb1c7f4a2f463d732b5d35efee3
SHA25615aefdd05514d88e1b35098bc131108685fee9a3c6031214f4dba2c4d4452414
SHA512c93c08ce2e5a28596acd881f9702ae2f086bc14002e31844e5ee94697b6e545774464003c451d43d2b485e43b207ca7fc6c18996ab6154cf08a2f257ca9f6d2e
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2phelper.dllFilesize
41KB
MD5e1c3d405a869ee28408debce9dee8702
SHA1cad86d0ff71e7bb1c7f4a2f463d732b5d35efee3
SHA25615aefdd05514d88e1b35098bc131108685fee9a3c6031214f4dba2c4d4452414
SHA512c93c08ce2e5a28596acd881f9702ae2f086bc14002e31844e5ee94697b6e545774464003c451d43d2b485e43b207ca7fc6c18996ab6154cf08a2f257ca9f6d2e
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exeFilesize
2.1MB
MD57db1f6a34a6b8e6f2b77ad35029515bd
SHA1d9de7d17248a89cb465545a7216a2f2a8d1a6ef9
SHA25675139e61b9e2a1f9fa607eda078c79c93d6ddc49456347ad2479e4bb082124eb
SHA512f3bd6ee44a041d5475b98c09399846c97e160c727c7dae0f3446431c23ed4ba915f5ee8baa796a760f59c1e0218a73a5ad8124e67f7ce4ca9c59adf558379e51
-
C:\Users\Admin\AppData\Local\Temp\P2P8.8\p2pseracher.exeFilesize
2.1MB
MD57db1f6a34a6b8e6f2b77ad35029515bd
SHA1d9de7d17248a89cb465545a7216a2f2a8d1a6ef9
SHA25675139e61b9e2a1f9fa607eda078c79c93d6ddc49456347ad2479e4bb082124eb
SHA512f3bd6ee44a041d5475b98c09399846c97e160c727c7dae0f3446431c23ed4ba915f5ee8baa796a760f59c1e0218a73a5ad8124e67f7ce4ca9c59adf558379e51
-
C:\Users\Admin\AppData\Local\Temp\nst9E2B.tmp\nsExec.dllFilesize
6KB
MD565dbdc0699a39d6e3c5e651c5c680bb5
SHA178cfe15265a6549cf4088e971c48a511c391c3c7
SHA2563a5a67734b006ebb93e3a6cdf32caf20fe3c9cfdc25c8c872f4cea76b95aa6af
SHA512c4f2f2a61f91b636c682533c388d872c1831c81c5691579d394a8768edf097e938737ac26f91dfec67dc7a157164981f3e8ebd35478654954f2c8e865fb9713e
-
memory/400-133-0x0000000000000000-mapping.dmp
-
memory/744-134-0x0000000000000000-mapping.dmp
-
memory/1252-132-0x0000000000000000-mapping.dmp
-
memory/5108-131-0x0000000000000000-mapping.dmp