Analysis
-
max time kernel
45s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-10-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
Resource
win7-20220812-en
General
-
Target
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
-
Size
25KB
-
MD5
499e71cd68d06aaf78d0057773169cf0
-
SHA1
ab534a763e7c47994cfabc8982a7d5625af30fad
-
SHA256
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc
-
SHA512
085f4299baec796cdcc8cea6647be5e361379c039e3dcd3d3fbe05998fa734b8fd1c1d7dfeb98bac769b18b0601a359d9295fd1f08f9f72c307803190e3d34ec
-
SSDEEP
768:sWO0AL+Kimjl8i0vGI2eK6w9SMjYvHr8:sOASBsl8LPKHuvHr
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 744 icacls.exe 1608 takeown.exe 268 icacls.exe 2000 takeown.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 828 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2000 takeown.exe 744 icacls.exe 1608 takeown.exe 268 icacls.exe -
Drops file in System32 directory 8 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exedescription ioc process File created C:\Windows\SysWOW64\sxload.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File opened for modification C:\Windows\SysWOW64\123DF58.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File opened for modification C:\Windows\syswow64\123DF58.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File opened for modification C:\Windows\SysWOW64\123EE85.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File opened for modification C:\Windows\syswow64\123EE85.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\syswow64\sx998.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1780 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exepid process 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe Token: SeTakeOwnershipPrivilege 2000 takeown.exe Token: SeDebugPrivilege 1780 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exepid process 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1764 wrote to memory of 2004 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 2004 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 2004 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 2004 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2004 wrote to memory of 948 2004 cmd.exe cmd.exe PID 2004 wrote to memory of 948 2004 cmd.exe cmd.exe PID 2004 wrote to memory of 948 2004 cmd.exe cmd.exe PID 2004 wrote to memory of 948 2004 cmd.exe cmd.exe PID 948 wrote to memory of 2000 948 cmd.exe takeown.exe PID 948 wrote to memory of 2000 948 cmd.exe takeown.exe PID 948 wrote to memory of 2000 948 cmd.exe takeown.exe PID 948 wrote to memory of 2000 948 cmd.exe takeown.exe PID 2004 wrote to memory of 744 2004 cmd.exe icacls.exe PID 2004 wrote to memory of 744 2004 cmd.exe icacls.exe PID 2004 wrote to memory of 744 2004 cmd.exe icacls.exe PID 2004 wrote to memory of 744 2004 cmd.exe icacls.exe PID 1764 wrote to memory of 824 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 824 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 824 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 824 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 824 wrote to memory of 768 824 cmd.exe cmd.exe PID 824 wrote to memory of 768 824 cmd.exe cmd.exe PID 824 wrote to memory of 768 824 cmd.exe cmd.exe PID 824 wrote to memory of 768 824 cmd.exe cmd.exe PID 768 wrote to memory of 1608 768 cmd.exe takeown.exe PID 768 wrote to memory of 1608 768 cmd.exe takeown.exe PID 768 wrote to memory of 1608 768 cmd.exe takeown.exe PID 768 wrote to memory of 1608 768 cmd.exe takeown.exe PID 824 wrote to memory of 268 824 cmd.exe icacls.exe PID 824 wrote to memory of 268 824 cmd.exe icacls.exe PID 824 wrote to memory of 268 824 cmd.exe icacls.exe PID 824 wrote to memory of 268 824 cmd.exe icacls.exe PID 1764 wrote to memory of 1780 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 1764 wrote to memory of 1780 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 1764 wrote to memory of 1780 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 1764 wrote to memory of 1780 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 1764 wrote to memory of 828 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 828 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 828 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 1764 wrote to memory of 828 1764 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe"C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\syswow64"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\syswow64"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\syswow64" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\syswow64"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\syswow64"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\syswow64" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c 1.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD50d2837816297e3f58efdb9e865725c67
SHA12bffe08bdf2f8b39c2617405808537d3f9655b30
SHA256888df75a0176aee6f246865e1a2e1104b708a4c09bbc8b9aab1f74820da39278
SHA512991134330d817d62038c4f853e15126a75b8d28e069c9e17ecb1fddaa0a23570702a54074c0c1c9bfcb16f1c7392783a60479331c168cef7446e4cf16a5312cf
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD5521e37256443e6b3f2281f217476bf79
SHA181f0e2b65605f070782cbe241569c6b9a25bb9dc
SHA25679ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f
SHA51223096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD5521e37256443e6b3f2281f217476bf79
SHA181f0e2b65605f070782cbe241569c6b9a25bb9dc
SHA25679ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f
SHA51223096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025
-
C:\Windows\SysWOW64\dllcache\rasadhlp.dllFilesize
11KB
MD5369e1dadd031358386470f65ba268bd4
SHA1bd57a8526662fbdd17cb938da403c0b5e1d619f1
SHA256755a3b5a027ce76aa0bb0bc35d71fde7767d2deb81f7d5348d763fbe7257678e
SHA512a641ed04479a8334b1beeca5cb57d530f249c6672b141c5d5f382ca04abb8a697c3687cc124851c0a7fcf26204f4bb4627d57820b315ce41a5c12bdc922c10fb
-
C:\Windows\SysWOW64\rasadhlp.dllFilesize
11KB
MD5369e1dadd031358386470f65ba268bd4
SHA1bd57a8526662fbdd17cb938da403c0b5e1d619f1
SHA256755a3b5a027ce76aa0bb0bc35d71fde7767d2deb81f7d5348d763fbe7257678e
SHA512a641ed04479a8334b1beeca5cb57d530f249c6672b141c5d5f382ca04abb8a697c3687cc124851c0a7fcf26204f4bb4627d57820b315ce41a5c12bdc922c10fb
-
memory/268-67-0x0000000000000000-mapping.dmp
-
memory/744-59-0x0000000000000000-mapping.dmp
-
memory/768-65-0x0000000000000000-mapping.dmp
-
memory/824-63-0x0000000000000000-mapping.dmp
-
memory/828-74-0x0000000000000000-mapping.dmp
-
memory/948-57-0x0000000000000000-mapping.dmp
-
memory/1608-66-0x0000000000000000-mapping.dmp
-
memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1764-61-0x0000000074881000-0x0000000074883000-memory.dmpFilesize
8KB
-
memory/1764-60-0x0000000074B31000-0x0000000074B33000-memory.dmpFilesize
8KB
-
memory/1780-73-0x0000000000000000-mapping.dmp
-
memory/2000-58-0x0000000000000000-mapping.dmp
-
memory/2004-55-0x0000000000000000-mapping.dmp