51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc

General

Target

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
Size

25KB
MD5

499e71cd68d06aaf78d0057773169cf0
SHA1

ab534a763e7c47994cfabc8982a7d5625af30fad
SHA256

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc
SHA512

085f4299baec796cdcc8cea6647be5e361379c039e3dcd3d3fbe05998fa734b8fd1c1d7dfeb98bac769b18b0601a359d9295fd1f08f9f72c307803190e3d34ec
SSDEEP

768:sWO0AL+Kimjl8i0vGI2eK6w9SMjYvHr8:sOASBsl8LPKHuvHr

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1940 icacls.exe
4124 takeown.exe
2208 icacls.exe
1192 takeown.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1192 takeown.exe
1940 icacls.exe
4124 takeown.exe
2208 icacls.exe

pid	process
1940	icacls.exe
4124	takeown.exe
2208	icacls.exe
1192	takeown.exe

pid	process
1192	takeown.exe
1940	icacls.exe
4124	takeown.exe
2208	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123FFD1.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File opened for modification	C:\Windows\SysWOW64\123F91.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\SysWOW64\sx998.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
File created	C:\Windows\SysWOW64\sxload.tmp	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1668 taskkill.exe

pid	process
1668	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

pid	process
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
Token: SeTakeOwnershipPrivilege	4124	takeown.exe
Token: SeDebugPrivilege	1668	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

pid	process
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2796 wrote to memory of 2416	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2796 wrote to memory of 2416	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2796 wrote to memory of 2416	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2416 wrote to memory of 64	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 64	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 64	2416	cmd.exe	cmd.exe
PID 64 wrote to memory of 4124	64	cmd.exe	takeown.exe
PID 64 wrote to memory of 4124	64	cmd.exe	takeown.exe
PID 64 wrote to memory of 4124	64	cmd.exe	takeown.exe
PID 2416 wrote to memory of 2208	2416	cmd.exe	icacls.exe
PID 2416 wrote to memory of 2208	2416	cmd.exe	icacls.exe
PID 2416 wrote to memory of 2208	2416	cmd.exe	icacls.exe
PID 2796 wrote to memory of 5036	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2796 wrote to memory of 5036	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2796 wrote to memory of 5036	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 5036 wrote to memory of 1952	5036	cmd.exe	cmd.exe
PID 5036 wrote to memory of 1952	5036	cmd.exe	cmd.exe
PID 5036 wrote to memory of 1952	5036	cmd.exe	cmd.exe
PID 1952 wrote to memory of 1192	1952	cmd.exe	takeown.exe
PID 1952 wrote to memory of 1192	1952	cmd.exe	takeown.exe
PID 1952 wrote to memory of 1192	1952	cmd.exe	takeown.exe
PID 5036 wrote to memory of 1940	5036	cmd.exe	icacls.exe
PID 5036 wrote to memory of 1940	5036	cmd.exe	icacls.exe
PID 5036 wrote to memory of 1940	5036	cmd.exe	icacls.exe
PID 2796 wrote to memory of 1668	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 2796 wrote to memory of 1668	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 2796 wrote to memory of 1668	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	taskkill.exe
PID 2796 wrote to memory of 2060	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2796 wrote to memory of 2060	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe
PID 2796 wrote to memory of 2060	2796	51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
"C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1192

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1940

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
0d2837816297e3f58efdb9e865725c67

SHA1
2bffe08bdf2f8b39c2617405808537d3f9655b30

SHA256
888df75a0176aee6f246865e1a2e1104b708a4c09bbc8b9aab1f74820da39278

SHA512
991134330d817d62038c4f853e15126a75b8d28e069c9e17ecb1fddaa0a23570702a54074c0c1c9bfcb16f1c7392783a60479331c168cef7446e4cf16a5312cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
3ffbf743abbb669729f846476d177132

SHA1
0c9a8fd8950bbb0ce06cf40c96596dc5ff7dcbe8

SHA256
30dd2be2c256f28f4adf7403d5a4395e71eb96a44fbc63aa308a6d1b98482c4b

SHA512
1c02fb80a0a59988c7754f17a0346d138db34e73c64165929442bd18e0b67569683f663b678b9ad7d22e99a4152cb7c19e2c031de7312a034101ac48d96e74a8

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
3ffbf743abbb669729f846476d177132

SHA1
0c9a8fd8950bbb0ce06cf40c96596dc5ff7dcbe8

SHA256
30dd2be2c256f28f4adf7403d5a4395e71eb96a44fbc63aa308a6d1b98482c4b

SHA512
1c02fb80a0a59988c7754f17a0346d138db34e73c64165929442bd18e0b67569683f663b678b9ad7d22e99a4152cb7c19e2c031de7312a034101ac48d96e74a8

Download Submit
memory/64-134-0x0000000000000000-mapping.dmp

Download
memory/1192-140-0x0000000000000000-mapping.dmp

Download
memory/1668-144-0x0000000000000000-mapping.dmp

Download
memory/1940-141-0x0000000000000000-mapping.dmp

Download
memory/1952-139-0x0000000000000000-mapping.dmp

Download
memory/2060-145-0x0000000000000000-mapping.dmp

Download
memory/2208-136-0x0000000000000000-mapping.dmp

Download
memory/2416-132-0x0000000000000000-mapping.dmp

Download
memory/4124-135-0x0000000000000000-mapping.dmp

Download
memory/5036-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads