51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc

General

Target

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
Size

25KB
MD5

499e71cd68d06aaf78d0057773169cf0
SHA1

ab534a763e7c47994cfabc8982a7d5625af30fad
SHA256

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc
SHA512

085f4299baec796cdcc8cea6647be5e361379c039e3dcd3d3fbe05998fa734b8fd1c1d7dfeb98bac769b18b0601a359d9295fd1f08f9f72c307803190e3d34ec
SSDEEP

768:sWO0AL+Kimjl8i0vGI2eK6w9SMjYvHr8:sOASBsl8LPKHuvHr

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

744 icacls.exe
1608 takeown.exe
268 icacls.exe
2000 takeown.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

828 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2000 takeown.exe
744 icacls.exe
1608 takeown.exe
268 icacls.exe

pid	process
744	icacls.exe
1608	takeown.exe
268	icacls.exe
2000	takeown.exe

pid	process
828	cmd.exe

pid	process
2000	takeown.exe
744	icacls.exe
1608	takeown.exe
268	icacls.exe

Drops file in System32 directory 8 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sxload.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File opened for modification	C:\Windows\SysWOW64\123DF58.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File opened for modification	C:\Windows\syswow64\123DF58.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File opened for modification	C:\Windows\SysWOW64\123EE85.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File opened for modification	C:\Windows\syswow64\123EE85.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\syswow64\sx998.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1780 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

pid process

1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

pid	process
1780	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
Token: SeTakeOwnershipPrivilege	2000	takeown.exe
Token: SeDebugPrivilege	1780	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

pid	process
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1764 wrote to memory of 2004	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 2004	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 2004	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 2004	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2004 wrote to memory of 948	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 948	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 948	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 948	2004	cmd.exe	cmd.exe
PID 948 wrote to memory of 2000	948	cmd.exe	takeown.exe
PID 948 wrote to memory of 2000	948	cmd.exe	takeown.exe
PID 948 wrote to memory of 2000	948	cmd.exe	takeown.exe
PID 948 wrote to memory of 2000	948	cmd.exe	takeown.exe
PID 2004 wrote to memory of 744	2004	cmd.exe	icacls.exe
PID 2004 wrote to memory of 744	2004	cmd.exe	icacls.exe
PID 2004 wrote to memory of 744	2004	cmd.exe	icacls.exe
PID 2004 wrote to memory of 744	2004	cmd.exe	icacls.exe
PID 1764 wrote to memory of 824	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 824	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 824	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 824	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 824 wrote to memory of 768	824	cmd.exe	cmd.exe
PID 824 wrote to memory of 768	824	cmd.exe	cmd.exe
PID 824 wrote to memory of 768	824	cmd.exe	cmd.exe
PID 824 wrote to memory of 768	824	cmd.exe	cmd.exe
PID 768 wrote to memory of 1608	768	cmd.exe	takeown.exe
PID 768 wrote to memory of 1608	768	cmd.exe	takeown.exe
PID 768 wrote to memory of 1608	768	cmd.exe	takeown.exe
PID 768 wrote to memory of 1608	768	cmd.exe	takeown.exe
PID 824 wrote to memory of 268	824	cmd.exe	icacls.exe
PID 824 wrote to memory of 268	824	cmd.exe	icacls.exe
PID 824 wrote to memory of 268	824	cmd.exe	icacls.exe
PID 824 wrote to memory of 268	824	cmd.exe	icacls.exe
PID 1764 wrote to memory of 1780	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 1764 wrote to memory of 1780	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 1764 wrote to memory of 1780	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 1764 wrote to memory of 1780	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 1764 wrote to memory of 828	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 828	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 828	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 1764 wrote to memory of 828	1764	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
"C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
0d2837816297e3f58efdb9e865725c67

SHA1
2bffe08bdf2f8b39c2617405808537d3f9655b30

SHA256
888df75a0176aee6f246865e1a2e1104b708a4c09bbc8b9aab1f74820da39278

SHA512
991134330d817d62038c4f853e15126a75b8d28e069c9e17ecb1fddaa0a23570702a54074c0c1c9bfcb16f1c7392783a60479331c168cef7446e4cf16a5312cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
369e1dadd031358386470f65ba268bd4

SHA1
bd57a8526662fbdd17cb938da403c0b5e1d619f1

SHA256
755a3b5a027ce76aa0bb0bc35d71fde7767d2deb81f7d5348d763fbe7257678e

SHA512
a641ed04479a8334b1beeca5cb57d530f249c6672b141c5d5f382ca04abb8a697c3687cc124851c0a7fcf26204f4bb4627d57820b315ce41a5c12bdc922c10fb

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
369e1dadd031358386470f65ba268bd4

SHA1
bd57a8526662fbdd17cb938da403c0b5e1d619f1

SHA256
755a3b5a027ce76aa0bb0bc35d71fde7767d2deb81f7d5348d763fbe7257678e

SHA512
a641ed04479a8334b1beeca5cb57d530f249c6672b141c5d5f382ca04abb8a697c3687cc124851c0a7fcf26204f4bb4627d57820b315ce41a5c12bdc922c10fb

Download Submit
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/744-59-0x0000000000000000-mapping.dmp

Download
memory/768-65-0x0000000000000000-mapping.dmp

Download
memory/824-63-0x0000000000000000-mapping.dmp

Download
memory/828-74-0x0000000000000000-mapping.dmp

Download
memory/948-57-0x0000000000000000-mapping.dmp

Download
memory/1608-66-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1764-61-0x0000000074881000-0x0000000074883000-memory.dmp

Filesize
8KB

Download
memory/1764-60-0x0000000074B31000-0x0000000074B33000-memory.dmp

Filesize
8KB

Download
memory/1780-73-0x0000000000000000-mapping.dmp

Download
memory/2000-58-0x0000000000000000-mapping.dmp

Download
memory/2004-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads