Analysis
-
max time kernel
90s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Resource
win7-20220812-en
General
-
Target
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
-
Size
16KB
-
MD5
19a2da46a57ea5033f975a9e193f7ed0
-
SHA1
42ae10e9ff69bbb8242d82da593d0a81ca31d050
-
SHA256
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1
-
SHA512
a238059e616beb860120513715394927405f4aa0980296fab10576f1b85ade2995c18ccc84e4a94397efe302cdde11cac1a7a6b31664f14452455c9ae9bddebb
-
SSDEEP
384:GYMzSPIsTt8uPJa7Y7fzo724PBoqXlm/Bh:G+QsTCJY7MxqF/j
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1324 takeown.exe 1784 icacls.exe 3352 takeown.exe 1740 icacls.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1324 takeown.exe 1784 icacls.exe 3352 takeown.exe 1740 icacls.exe -
Drops file in System32 directory 5 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exedescription ioc process File created C:\Windows\SysWOW64\sxload.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File opened for modification C:\Windows\SysWOW64\123BCED.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File opened for modification C:\Windows\SysWOW64\123C347.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe -
Drops file in Program Files directory 1 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exedescription ioc process File created C:\Program Files (x86)\Common Files\sx998.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3680 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe Token: SeTakeOwnershipPrivilege 1324 takeown.exe Token: SeTakeOwnershipPrivilege 3352 takeown.exe Token: SeDebugPrivilege 3680 taskkill.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exepid process 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.execmd.execmd.exedescription pid process target process PID 2708 wrote to memory of 2336 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2708 wrote to memory of 2336 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2708 wrote to memory of 2336 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2336 wrote to memory of 1324 2336 cmd.exe takeown.exe PID 2336 wrote to memory of 1324 2336 cmd.exe takeown.exe PID 2336 wrote to memory of 1324 2336 cmd.exe takeown.exe PID 2336 wrote to memory of 1784 2336 cmd.exe icacls.exe PID 2336 wrote to memory of 1784 2336 cmd.exe icacls.exe PID 2336 wrote to memory of 1784 2336 cmd.exe icacls.exe PID 2708 wrote to memory of 1996 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2708 wrote to memory of 1996 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2708 wrote to memory of 1996 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 1996 wrote to memory of 3352 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 3352 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 3352 1996 cmd.exe takeown.exe PID 1996 wrote to memory of 1740 1996 cmd.exe icacls.exe PID 1996 wrote to memory of 1740 1996 cmd.exe icacls.exe PID 1996 wrote to memory of 1740 1996 cmd.exe icacls.exe PID 2708 wrote to memory of 3680 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 2708 wrote to memory of 3680 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 2708 wrote to memory of 3680 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe taskkill.exe PID 2708 wrote to memory of 3472 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2708 wrote to memory of 3472 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe PID 2708 wrote to memory of 3472 2708 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe"C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rasadhlp.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\midimap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\midimap.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5a3aac93556493aba5ff81b48c4bf23fe
SHA1f6b2424fc11189d24114535cdb14a96821791067
SHA2560c698b2b58b1e4eda71c7fc9c55780294d7c3a4ad6e519148eeef7477ef62556
SHA51255aaf29b4a73aae5ca6ed55a4926533920e7a17ae04ae1a6232ef30c6cc26c6d65c1197e3b2d6f9648b3fd0b101877b002110fdddcb1c376dd84cbba4d31c126
-
memory/1324-133-0x0000000000000000-mapping.dmp
-
memory/1740-137-0x0000000000000000-mapping.dmp
-
memory/1784-134-0x0000000000000000-mapping.dmp
-
memory/1996-135-0x0000000000000000-mapping.dmp
-
memory/2336-132-0x0000000000000000-mapping.dmp
-
memory/3352-136-0x0000000000000000-mapping.dmp
-
memory/3472-139-0x0000000000000000-mapping.dmp
-
memory/3680-138-0x0000000000000000-mapping.dmp