Analysis
-
max time kernel
90s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 09:47
Static task
static1
Behavioral task
behavioral1
Sample
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
Resource
win7-20220812-en
General
-
Target
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe
-
Size
25KB
-
MD5
499e71cd68d06aaf78d0057773169cf0
-
SHA1
ab534a763e7c47994cfabc8982a7d5625af30fad
-
SHA256
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc
-
SHA512
085f4299baec796cdcc8cea6647be5e361379c039e3dcd3d3fbe05998fa734b8fd1c1d7dfeb98bac769b18b0601a359d9295fd1f08f9f72c307803190e3d34ec
-
SSDEEP
768:sWO0AL+Kimjl8i0vGI2eK6w9SMjYvHr8:sOASBsl8LPKHuvHr
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1940 icacls.exe 4124 takeown.exe 2208 icacls.exe 1192 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1192 takeown.exe 1940 icacls.exe 4124 takeown.exe 2208 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\123FFD1.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File opened for modification C:\Windows\SysWOW64\123F91.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\SysWOW64\sx998.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe File created C:\Windows\SysWOW64\sxload.tmp 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1668 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exepid process 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe Token: SeTakeOwnershipPrivilege 4124 takeown.exe Token: SeDebugPrivilege 1668 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exepid process 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2796 wrote to memory of 2416 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2796 wrote to memory of 2416 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2796 wrote to memory of 2416 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2416 wrote to memory of 64 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 64 2416 cmd.exe cmd.exe PID 2416 wrote to memory of 64 2416 cmd.exe cmd.exe PID 64 wrote to memory of 4124 64 cmd.exe takeown.exe PID 64 wrote to memory of 4124 64 cmd.exe takeown.exe PID 64 wrote to memory of 4124 64 cmd.exe takeown.exe PID 2416 wrote to memory of 2208 2416 cmd.exe icacls.exe PID 2416 wrote to memory of 2208 2416 cmd.exe icacls.exe PID 2416 wrote to memory of 2208 2416 cmd.exe icacls.exe PID 2796 wrote to memory of 5036 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2796 wrote to memory of 5036 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2796 wrote to memory of 5036 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 5036 wrote to memory of 1952 5036 cmd.exe cmd.exe PID 5036 wrote to memory of 1952 5036 cmd.exe cmd.exe PID 5036 wrote to memory of 1952 5036 cmd.exe cmd.exe PID 1952 wrote to memory of 1192 1952 cmd.exe takeown.exe PID 1952 wrote to memory of 1192 1952 cmd.exe takeown.exe PID 1952 wrote to memory of 1192 1952 cmd.exe takeown.exe PID 5036 wrote to memory of 1940 5036 cmd.exe icacls.exe PID 5036 wrote to memory of 1940 5036 cmd.exe icacls.exe PID 5036 wrote to memory of 1940 5036 cmd.exe icacls.exe PID 2796 wrote to memory of 1668 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 2796 wrote to memory of 1668 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 2796 wrote to memory of 1668 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe taskkill.exe PID 2796 wrote to memory of 2060 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2796 wrote to memory of 2060 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe PID 2796 wrote to memory of 2060 2796 51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe"C:\Users\Admin\AppData\Local\Temp\51932b243325c8f4a1b9eb3914e48726fb7cc3a198b8731a38f38e8ab27504dc.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD50d2837816297e3f58efdb9e865725c67
SHA12bffe08bdf2f8b39c2617405808537d3f9655b30
SHA256888df75a0176aee6f246865e1a2e1104b708a4c09bbc8b9aab1f74820da39278
SHA512991134330d817d62038c4f853e15126a75b8d28e069c9e17ecb1fddaa0a23570702a54074c0c1c9bfcb16f1c7392783a60479331c168cef7446e4cf16a5312cf
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Windows\SysWOW64\dllcache\rasadhlp.dllFilesize
12KB
MD53ffbf743abbb669729f846476d177132
SHA10c9a8fd8950bbb0ce06cf40c96596dc5ff7dcbe8
SHA25630dd2be2c256f28f4adf7403d5a4395e71eb96a44fbc63aa308a6d1b98482c4b
SHA5121c02fb80a0a59988c7754f17a0346d138db34e73c64165929442bd18e0b67569683f663b678b9ad7d22e99a4152cb7c19e2c031de7312a034101ac48d96e74a8
-
C:\Windows\SysWOW64\rasadhlp.dllFilesize
12KB
MD53ffbf743abbb669729f846476d177132
SHA10c9a8fd8950bbb0ce06cf40c96596dc5ff7dcbe8
SHA25630dd2be2c256f28f4adf7403d5a4395e71eb96a44fbc63aa308a6d1b98482c4b
SHA5121c02fb80a0a59988c7754f17a0346d138db34e73c64165929442bd18e0b67569683f663b678b9ad7d22e99a4152cb7c19e2c031de7312a034101ac48d96e74a8
-
memory/64-134-0x0000000000000000-mapping.dmp
-
memory/1192-140-0x0000000000000000-mapping.dmp
-
memory/1668-144-0x0000000000000000-mapping.dmp
-
memory/1940-141-0x0000000000000000-mapping.dmp
-
memory/1952-139-0x0000000000000000-mapping.dmp
-
memory/2060-145-0x0000000000000000-mapping.dmp
-
memory/2208-136-0x0000000000000000-mapping.dmp
-
memory/2416-132-0x0000000000000000-mapping.dmp
-
memory/4124-135-0x0000000000000000-mapping.dmp
-
memory/5036-137-0x0000000000000000-mapping.dmp