Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Resource
win7-20220812-en
General
-
Target
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
-
Size
16KB
-
MD5
19a2da46a57ea5033f975a9e193f7ed0
-
SHA1
42ae10e9ff69bbb8242d82da593d0a81ca31d050
-
SHA256
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1
-
SHA512
a238059e616beb860120513715394927405f4aa0980296fab10576f1b85ade2995c18ccc84e4a94397efe302cdde11cac1a7a6b31664f14452455c9ae9bddebb
-
SSDEEP
384:GYMzSPIsTt8uPJa7Y7fzo724PBoqXlm/Bh:G+QsTCJY7MxqF/j
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1656 cmd.exe -
Drops file in System32 directory 5 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1233258.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File created C:\Windows\System32\1233A55.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File opened for modification C:\Windows\SysWOW64\1233A55.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File created C:\Windows\SysWOW64\sxload.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File created C:\Windows\System32\1233258.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe -
Drops file in Program Files directory 1 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exedescription ioc process File created C:\Program Files (x86)\Common Files\sx998.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 472 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe Token: SeDebugPrivilege 472 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exepid process 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exedescription pid process target process PID 1132 wrote to memory of 472 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 1132 wrote to memory of 472 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 1132 wrote to memory of 472 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 1132 wrote to memory of 472 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 1132 wrote to memory of 1656 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 1132 wrote to memory of 1656 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 1132 wrote to memory of 1656 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 1132 wrote to memory of 1656 1132 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe"C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c 1.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5a3aac93556493aba5ff81b48c4bf23fe
SHA1f6b2424fc11189d24114535cdb14a96821791067
SHA2560c698b2b58b1e4eda71c7fc9c55780294d7c3a4ad6e519148eeef7477ef62556
SHA51255aaf29b4a73aae5ca6ed55a4926533920e7a17ae04ae1a6232ef30c6cc26c6d65c1197e3b2d6f9648b3fd0b101877b002110fdddcb1c376dd84cbba4d31c126
-
memory/472-56-0x0000000000000000-mapping.dmp
-
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmpFilesize
8KB
-
memory/1132-55-0x00000000742A1000-0x00000000742A3000-memory.dmpFilesize
8KB
-
memory/1656-57-0x0000000000000000-mapping.dmp