40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4

Analysis

max time kernel
37s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-10-2022 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Size

22KB
MD5

9352fdae3a18fb42dec31d80f2b762c0
SHA1

cd605e2560ecab3fd0a816011bef2b46f08da718
SHA256

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4
SHA512

d4f5ef7e611c8f0ebbc61d019e1c5caf3b8b2a907f7b292e0049fef2f1e9657e75a46d17ca62a7f7ea9629633791900962565497531c30ca5f40e419cda1aa06
SSDEEP

384:ZeIqR1e2cz/2C+h21llTNerR14X0Tt2RBZu2wNpkHqTqFlBGQq1uzs8e9aTA0iKo:ZrCXcz/2CvRewkTYJ/rlBGBgs81K

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1796 cmd.exe

pid	process
1796	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sxload.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File created	C:\Windows\System32\1234E60.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File opened for modification	C:\Windows\SysWOW64\1234E60.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File created	C:\Windows\System32\12352F3.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File opened for modification	C:\Windows\SysWOW64\12352F3.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

Drops file in Program Files directory 1 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxf7.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

760 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxf7.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

pid	process
760	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Token: SeDebugPrivilege	760	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

pid	process
1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

description	pid	process	target process
PID 1504 wrote to memory of 760	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 1504 wrote to memory of 760	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 1504 wrote to memory of 760	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 1504 wrote to memory of 760	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 1504 wrote to memory of 1796	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 1504 wrote to memory of 1796	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 1504 wrote to memory of 1796	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 1504 wrote to memory of 1796	1504	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
"C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
edf1b293999e875a2ababb34b73b8628

SHA1
2e15b4d4daa690b627572c9ca1e6585c251038cc

SHA256
3a1381175b66748bac9ce074963ca710318ca988888da5873167e359a7871b70

SHA512
ce98576fce97c540a18c4846ced07803cd428c16e2f5a49318844afbfb0cf329ada2007daab5655dafafb40ad0a90d8bb8f4bcd84685db1ab599562a8cb07ee1

Download Submit
memory/760-56-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-55-0x0000000074CB1000-0x0000000074CB3000-memory.dmp

Filesize
8KB

Download
memory/1796-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads