0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Size

16KB
MD5

19a2da46a57ea5033f975a9e193f7ed0
SHA1

42ae10e9ff69bbb8242d82da593d0a81ca31d050
SHA256

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1
SHA512

a238059e616beb860120513715394927405f4aa0980296fab10576f1b85ade2995c18ccc84e4a94397efe302cdde11cac1a7a6b31664f14452455c9ae9bddebb
SSDEEP

384:GYMzSPIsTt8uPJa7Y7fzo724PBoqXlm/Bh:G+QsTCJY7MxqF/j

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1656 cmd.exe

pid	process
1656	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1233258.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File created	C:\Windows\System32\1233A55.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File opened for modification	C:\Windows\SysWOW64\1233A55.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File created	C:\Windows\SysWOW64\sxload.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File created	C:\Windows\System32\1233258.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

Drops file in Program Files directory 1 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx998.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

472 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx998.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

pid	process
472	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Token: SeDebugPrivilege	472	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

pid	process
1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

description	pid	process	target process
PID 1132 wrote to memory of 472	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 1132 wrote to memory of 472	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 1132 wrote to memory of 472	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 1132 wrote to memory of 472	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 1132 wrote to memory of 1656	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 1132 wrote to memory of 1656	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 1132 wrote to memory of 1656	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 1132 wrote to memory of 1656	1132	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
"C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1656

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
a3aac93556493aba5ff81b48c4bf23fe

SHA1
f6b2424fc11189d24114535cdb14a96821791067

SHA256
0c698b2b58b1e4eda71c7fc9c55780294d7c3a4ad6e519148eeef7477ef62556

SHA512
55aaf29b4a73aae5ca6ed55a4926533920e7a17ae04ae1a6232ef30c6cc26c6d65c1197e3b2d6f9648b3fd0b101877b002110fdddcb1c376dd84cbba4d31c126

Download Submit
memory/472-56-0x0000000000000000-mapping.dmp

Download
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1132-55-0x00000000742A1000-0x00000000742A3000-memory.dmp

Filesize
8KB

Download
memory/1656-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads