0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1

General

Target

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Size

16KB
MD5

19a2da46a57ea5033f975a9e193f7ed0
SHA1

42ae10e9ff69bbb8242d82da593d0a81ca31d050
SHA256

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1
SHA512

a238059e616beb860120513715394927405f4aa0980296fab10576f1b85ade2995c18ccc84e4a94397efe302cdde11cac1a7a6b31664f14452455c9ae9bddebb
SSDEEP

384:GYMzSPIsTt8uPJa7Y7fzo724PBoqXlm/Bh:G+QsTCJY7MxqF/j

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1324 takeown.exe
1784 icacls.exe
3352 takeown.exe
1740 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1324 takeown.exe
1784 icacls.exe
3352 takeown.exe
1740 icacls.exe

pid	process
1324	takeown.exe
1784	icacls.exe
3352	takeown.exe
1740	icacls.exe

pid	process
1324	takeown.exe
1784	icacls.exe
3352	takeown.exe
1740	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sxload.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File opened for modification	C:\Windows\SysWOW64\123BCED.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File opened for modification	C:\Windows\SysWOW64\123C347.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

Drops file in Program Files directory 1 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx998.tmp 0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3680 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx998.tmp	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

pid	process
3680	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
Token: SeTakeOwnershipPrivilege	1324	takeown.exe
Token: SeTakeOwnershipPrivilege	3352	takeown.exe
Token: SeDebugPrivilege	3680	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

pid	process
2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.execmd.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 2336	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2708 wrote to memory of 2336	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2708 wrote to memory of 2336	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2336 wrote to memory of 1324	2336	cmd.exe	takeown.exe
PID 2336 wrote to memory of 1324	2336	cmd.exe	takeown.exe
PID 2336 wrote to memory of 1324	2336	cmd.exe	takeown.exe
PID 2336 wrote to memory of 1784	2336	cmd.exe	icacls.exe
PID 2336 wrote to memory of 1784	2336	cmd.exe	icacls.exe
PID 2336 wrote to memory of 1784	2336	cmd.exe	icacls.exe
PID 2708 wrote to memory of 1996	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2708 wrote to memory of 1996	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2708 wrote to memory of 1996	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 1996 wrote to memory of 3352	1996	cmd.exe	takeown.exe
PID 1996 wrote to memory of 3352	1996	cmd.exe	takeown.exe
PID 1996 wrote to memory of 3352	1996	cmd.exe	takeown.exe
PID 1996 wrote to memory of 1740	1996	cmd.exe	icacls.exe
PID 1996 wrote to memory of 1740	1996	cmd.exe	icacls.exe
PID 1996 wrote to memory of 1740	1996	cmd.exe	icacls.exe
PID 2708 wrote to memory of 3680	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 2708 wrote to memory of 3680	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 2708 wrote to memory of 3680	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	taskkill.exe
PID 2708 wrote to memory of 3472	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2708 wrote to memory of 3472	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe
PID 2708 wrote to memory of 3472	2708	0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe
"C:\Users\Admin\AppData\Local\Temp\0f012a13c805c59ad698f6d24ec4968d9e82a472b8e62cd54927f4105893a0c1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rasadhlp.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\midimap.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:3472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
a3aac93556493aba5ff81b48c4bf23fe

SHA1
f6b2424fc11189d24114535cdb14a96821791067

SHA256
0c698b2b58b1e4eda71c7fc9c55780294d7c3a4ad6e519148eeef7477ef62556

SHA512
55aaf29b4a73aae5ca6ed55a4926533920e7a17ae04ae1a6232ef30c6cc26c6d65c1197e3b2d6f9648b3fd0b101877b002110fdddcb1c376dd84cbba4d31c126

Download Submit
memory/1324-133-0x0000000000000000-mapping.dmp

Download
memory/1740-137-0x0000000000000000-mapping.dmp

Download
memory/1784-134-0x0000000000000000-mapping.dmp

Download
memory/1996-135-0x0000000000000000-mapping.dmp

Download
memory/2336-132-0x0000000000000000-mapping.dmp

Download
memory/3352-136-0x0000000000000000-mapping.dmp

Download
memory/3472-139-0x0000000000000000-mapping.dmp

Download
memory/3680-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads