Analysis
-
max time kernel
91s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Resource
win7-20220812-en
General
-
Target
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
-
Size
22KB
-
MD5
9352fdae3a18fb42dec31d80f2b762c0
-
SHA1
cd605e2560ecab3fd0a816011bef2b46f08da718
-
SHA256
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4
-
SHA512
d4f5ef7e611c8f0ebbc61d019e1c5caf3b8b2a907f7b292e0049fef2f1e9657e75a46d17ca62a7f7ea9629633791900962565497531c30ca5f40e419cda1aa06
-
SSDEEP
384:ZeIqR1e2cz/2C+h21llTNerR14X0Tt2RBZu2wNpkHqTqFlBGQq1uzs8e9aTA0iKo:ZrCXcz/2CvRewkTYJ/rlBGBgs81K
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3064 icacls.exe 4488 takeown.exe 3684 icacls.exe 4836 takeown.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4836 takeown.exe 3064 icacls.exe 4488 takeown.exe 3684 icacls.exe -
Drops file in System32 directory 5 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exedescription ioc process File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File opened for modification C:\Windows\SysWOW64\123A639.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File created C:\Windows\SysWOW64\sxload.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe File opened for modification C:\Windows\SysWOW64\1239FD0.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe -
Drops file in Program Files directory 1 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxf7.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1276 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exetakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe Token: SeTakeOwnershipPrivilege 4836 takeown.exe Token: SeTakeOwnershipPrivilege 4488 takeown.exe Token: SeDebugPrivilege 1276 taskkill.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exepid process 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.execmd.execmd.exedescription pid process target process PID 3192 wrote to memory of 2276 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3192 wrote to memory of 2276 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3192 wrote to memory of 2276 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 2276 wrote to memory of 4836 2276 cmd.exe takeown.exe PID 2276 wrote to memory of 4836 2276 cmd.exe takeown.exe PID 2276 wrote to memory of 4836 2276 cmd.exe takeown.exe PID 2276 wrote to memory of 3064 2276 cmd.exe icacls.exe PID 2276 wrote to memory of 3064 2276 cmd.exe icacls.exe PID 2276 wrote to memory of 3064 2276 cmd.exe icacls.exe PID 3192 wrote to memory of 3528 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3192 wrote to memory of 3528 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3192 wrote to memory of 3528 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3528 wrote to memory of 4488 3528 cmd.exe takeown.exe PID 3528 wrote to memory of 4488 3528 cmd.exe takeown.exe PID 3528 wrote to memory of 4488 3528 cmd.exe takeown.exe PID 3528 wrote to memory of 3684 3528 cmd.exe icacls.exe PID 3528 wrote to memory of 3684 3528 cmd.exe icacls.exe PID 3528 wrote to memory of 3684 3528 cmd.exe icacls.exe PID 3192 wrote to memory of 1276 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 3192 wrote to memory of 1276 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 3192 wrote to memory of 1276 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe taskkill.exe PID 3192 wrote to memory of 4628 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3192 wrote to memory of 4628 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe PID 3192 wrote to memory of 4628 3192 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe"C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\rasadhlp.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\system32\midimap.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\system32\midimap.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5edf1b293999e875a2ababb34b73b8628
SHA12e15b4d4daa690b627572c9ca1e6585c251038cc
SHA2563a1381175b66748bac9ce074963ca710318ca988888da5873167e359a7871b70
SHA512ce98576fce97c540a18c4846ced07803cd428c16e2f5a49318844afbfb0cf329ada2007daab5655dafafb40ad0a90d8bb8f4bcd84685db1ab599562a8cb07ee1
-
memory/1276-138-0x0000000000000000-mapping.dmp
-
memory/2276-132-0x0000000000000000-mapping.dmp
-
memory/3064-134-0x0000000000000000-mapping.dmp
-
memory/3528-135-0x0000000000000000-mapping.dmp
-
memory/3684-137-0x0000000000000000-mapping.dmp
-
memory/4488-136-0x0000000000000000-mapping.dmp
-
memory/4628-139-0x0000000000000000-mapping.dmp
-
memory/4836-133-0x0000000000000000-mapping.dmp