40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4

General

Target

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Size

22KB
MD5

9352fdae3a18fb42dec31d80f2b762c0
SHA1

cd605e2560ecab3fd0a816011bef2b46f08da718
SHA256

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4
SHA512

d4f5ef7e611c8f0ebbc61d019e1c5caf3b8b2a907f7b292e0049fef2f1e9657e75a46d17ca62a7f7ea9629633791900962565497531c30ca5f40e419cda1aa06
SSDEEP

384:ZeIqR1e2cz/2C+h21llTNerR14X0Tt2RBZu2wNpkHqTqFlBGQq1uzs8e9aTA0iKo:ZrCXcz/2CvRewkTYJ/rlBGBgs81K

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

3064 icacls.exe
4488 takeown.exe
3684 icacls.exe
4836 takeown.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4836 takeown.exe
3064 icacls.exe
4488 takeown.exe
3684 icacls.exe

pid	process
3064	icacls.exe
4488	takeown.exe
3684	icacls.exe
4836	takeown.exe

pid	process
4836	takeown.exe
3064	icacls.exe
4488	takeown.exe
3684	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File opened for modification	C:\Windows\SysWOW64\123A639.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File created	C:\Windows\SysWOW64\sxload.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
File opened for modification	C:\Windows\SysWOW64\1239FD0.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

Drops file in Program Files directory 1 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxf7.tmp 40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1276 taskkill.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxf7.tmp	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

pid	process
1276	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exetakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
Token: SeTakeOwnershipPrivilege	4836	takeown.exe
Token: SeTakeOwnershipPrivilege	4488	takeown.exe
Token: SeDebugPrivilege	1276	taskkill.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

pid	process
3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.execmd.execmd.exe

description	pid	process	target process
PID 3192 wrote to memory of 2276	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3192 wrote to memory of 2276	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3192 wrote to memory of 2276	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 2276 wrote to memory of 4836	2276	cmd.exe	takeown.exe
PID 2276 wrote to memory of 4836	2276	cmd.exe	takeown.exe
PID 2276 wrote to memory of 4836	2276	cmd.exe	takeown.exe
PID 2276 wrote to memory of 3064	2276	cmd.exe	icacls.exe
PID 2276 wrote to memory of 3064	2276	cmd.exe	icacls.exe
PID 2276 wrote to memory of 3064	2276	cmd.exe	icacls.exe
PID 3192 wrote to memory of 3528	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3192 wrote to memory of 3528	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3192 wrote to memory of 3528	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3528 wrote to memory of 4488	3528	cmd.exe	takeown.exe
PID 3528 wrote to memory of 4488	3528	cmd.exe	takeown.exe
PID 3528 wrote to memory of 4488	3528	cmd.exe	takeown.exe
PID 3528 wrote to memory of 3684	3528	cmd.exe	icacls.exe
PID 3528 wrote to memory of 3684	3528	cmd.exe	icacls.exe
PID 3528 wrote to memory of 3684	3528	cmd.exe	icacls.exe
PID 3192 wrote to memory of 1276	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 3192 wrote to memory of 1276	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 3192 wrote to memory of 1276	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	taskkill.exe
PID 3192 wrote to memory of 4628	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3192 wrote to memory of 4628	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe
PID 3192 wrote to memory of 4628	3192	40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe
"C:\Users\Admin\AppData\Local\Temp\40f449bc184cb816b7b9c79a14db12b6492647a49873ea69c057513f07dc3ff4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\rasadhlp.dll" && icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\rasadhlp.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\rasadhlp.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3064

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\system32\midimap.dll" && icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\system32\midimap.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\system32\midimap.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3684

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
edf1b293999e875a2ababb34b73b8628

SHA1
2e15b4d4daa690b627572c9ca1e6585c251038cc

SHA256
3a1381175b66748bac9ce074963ca710318ca988888da5873167e359a7871b70

SHA512
ce98576fce97c540a18c4846ced07803cd428c16e2f5a49318844afbfb0cf329ada2007daab5655dafafb40ad0a90d8bb8f4bcd84685db1ab599562a8cb07ee1

Download Submit
memory/1276-138-0x0000000000000000-mapping.dmp

Download
memory/2276-132-0x0000000000000000-mapping.dmp

Download
memory/3064-134-0x0000000000000000-mapping.dmp

Download
memory/3528-135-0x0000000000000000-mapping.dmp

Download
memory/3684-137-0x0000000000000000-mapping.dmp

Download
memory/4488-136-0x0000000000000000-mapping.dmp

Download
memory/4628-139-0x0000000000000000-mapping.dmp

Download
memory/4836-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads