Analysis
-
max time kernel
37s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Resource
win7-20220812-en
General
-
Target
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
-
Size
22KB
-
MD5
9352fdae3a18fb42dec31d80f2b762c0
-
SHA1
cd605e2560ecab3fd0a816011bef2b46f08da718
-
SHA256
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4
-
SHA512
d4f5ef7e611c8f0ebbc61d019e1c5caf3b8b2a907f7b292e0049fef2f1e9657e75a46d17ca62a7f7ea9629633791900962565497531c30ca5f40e419cda1aa06
-
SSDEEP
384:ZeIqR1e2cz/2C+h21llTNerR14X0Tt2RBZu2wNpkHqTqFlBGQq1uzs8e9aTA0iKo:ZrCXcz/2CvRewkTYJ/rlBGBgs81K
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1796 cmd.exe -
Drops file in System32 directory 5 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exedescription ioc process File created C:\Windows\SysWOW64\sxload.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File created C:\Windows\System32\1234E60.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File opened for modification C:\Windows\SysWOW64\1234E60.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File created C:\Windows\System32\12352F3.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File opened for modification C:\Windows\SysWOW64\12352F3.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe -
Drops file in Program Files directory 1 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxf7.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 760 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe Token: SeDebugPrivilege 760 taskkill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exepid process 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exedescription pid process target process PID 1504 wrote to memory of 760 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 1504 wrote to memory of 760 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 1504 wrote to memory of 760 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 1504 wrote to memory of 760 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 1504 wrote to memory of 1796 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 1504 wrote to memory of 1796 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 1504 wrote to memory of 1796 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 1504 wrote to memory of 1796 1504 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe"C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c 1.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5edf1b293999e875a2ababb34b73b8628
SHA12e15b4d4daa690b627572c9ca1e6585c251038cc
SHA2563a1381175b66748bac9ce074963ca710318ca988888da5873167e359a7871b70
SHA512ce98576fce97c540a18c4846ced07803cd428c16e2f5a49318844afbfb0cf329ada2007daab5655dafafb40ad0a90d8bb8f4bcd84685db1ab599562a8cb07ee1
-
memory/760-56-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmpFilesize
8KB
-
memory/1504-55-0x0000000074CB1000-0x0000000074CB3000-memory.dmpFilesize
8KB
-
memory/1796-57-0x0000000000000000-mapping.dmp