20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087

General

Target

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
Size

28KB
MD5

4fedcbbb748b46dfcc5bf5cd3b98ee97
SHA1

1eb7e3a122e3aec420d022cf67d3b4c80073a008
SHA256

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087
SHA512

7a29b57ba377509acc3365f1f8f0107d56ebe6cf530c291045436c04f579f80e5345e186a49ca9669c8a9210c8cf2a564d06daaed183a8a94ba12128aa67d997
SSDEEP

768:XwcJmwfC23/wVC6VH9kUwV/cDNyuROTXOcFH8C1:Xq23/iC6VH9k6g6O7HFc2

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1500 takeown.exe
1316 icacls.exe
1740 takeown.exe
544 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1040 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1500 takeown.exe
1316 icacls.exe
1740 takeown.exe
544 icacls.exe

pid	process
1500	takeown.exe
1316	icacls.exe
1740	takeown.exe
544	icacls.exe

pid	process
1040	cmd.exe

pid	process
1500	takeown.exe
1316	icacls.exe
1740	takeown.exe
544	icacls.exe

Drops file in System32 directory 8 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1231D03.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File opened for modification	C:\Windows\syswow64\1231D03.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File opened for modification	C:\Windows\SysWOW64\1232A4D.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File opened for modification	C:\Windows\syswow64\1232A4D.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\syswow64\sx998.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\sxload.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1680 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

pid process

616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

pid	process
1680	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
Token: SeTakeOwnershipPrivilege	1500	takeown.exe
Token: SeDebugPrivilege	1680	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

pid	process
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 1300	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1300	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1300	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1300	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1300 wrote to memory of 992	1300	cmd.exe	cmd.exe
PID 1300 wrote to memory of 992	1300	cmd.exe	cmd.exe
PID 1300 wrote to memory of 992	1300	cmd.exe	cmd.exe
PID 1300 wrote to memory of 992	1300	cmd.exe	cmd.exe
PID 992 wrote to memory of 1500	992	cmd.exe	takeown.exe
PID 992 wrote to memory of 1500	992	cmd.exe	takeown.exe
PID 992 wrote to memory of 1500	992	cmd.exe	takeown.exe
PID 992 wrote to memory of 1500	992	cmd.exe	takeown.exe
PID 1300 wrote to memory of 1316	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 1316	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 1316	1300	cmd.exe	icacls.exe
PID 1300 wrote to memory of 1316	1300	cmd.exe	icacls.exe
PID 616 wrote to memory of 1140	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1140	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1140	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1140	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1140 wrote to memory of 1888	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 1888	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 1888	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 1888	1140	cmd.exe	cmd.exe
PID 1888 wrote to memory of 1740	1888	cmd.exe	takeown.exe
PID 1888 wrote to memory of 1740	1888	cmd.exe	takeown.exe
PID 1888 wrote to memory of 1740	1888	cmd.exe	takeown.exe
PID 1888 wrote to memory of 1740	1888	cmd.exe	takeown.exe
PID 1140 wrote to memory of 544	1140	cmd.exe	icacls.exe
PID 1140 wrote to memory of 544	1140	cmd.exe	icacls.exe
PID 1140 wrote to memory of 544	1140	cmd.exe	icacls.exe
PID 1140 wrote to memory of 544	1140	cmd.exe	icacls.exe
PID 616 wrote to memory of 1680	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 616 wrote to memory of 1680	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 616 wrote to memory of 1680	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 616 wrote to memory of 1680	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 616 wrote to memory of 1040	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1040	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1040	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 616 wrote to memory of 1040	616	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
"C:\Users\Admin\AppData\Local\Temp\20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1316

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
3⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1740

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:544

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
2⤵
- Deletes itself
PID:1040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
d38d93171929936481c892b524bc1fb6

SHA1
bcd200e36763bb771a270873c9499a88e2abc9ff

SHA256
3cd25f9ebb955e969eed84e1a4e9981da975e09fb1dd4bec061830d92d3fe8c2

SHA512
809671e3d7ce62846c21fca44fb8f57ace13159914cc368ceb402da5a7e6aa6721b2e363349a7d1b386943b0953b1215c45160ffecef4621357b16038b7c74ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
f87a749e97c7a8c63406321aa604498f

SHA1
5da6a31742558d3f5e9ccde10304012230d2e0a7

SHA256
c54a7f4a32e9f6d19dbd80a7a52ea54f689956ee25e42bb6a168dc0ca3dd5946

SHA512
73fad4c4f9fb08a2a6ecc82695f18266600ad954ac50056c0db83c2dd3c5171c64e33bcced26ba06c9994c172d7c4c6fd979cd9d795e107f0bc28baa3becc97b

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
11KB

MD5
f87a749e97c7a8c63406321aa604498f

SHA1
5da6a31742558d3f5e9ccde10304012230d2e0a7

SHA256
c54a7f4a32e9f6d19dbd80a7a52ea54f689956ee25e42bb6a168dc0ca3dd5946

SHA512
73fad4c4f9fb08a2a6ecc82695f18266600ad954ac50056c0db83c2dd3c5171c64e33bcced26ba06c9994c172d7c4c6fd979cd9d795e107f0bc28baa3becc97b

Download Submit
memory/544-67-0x0000000000000000-mapping.dmp

Download
memory/616-60-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/616-61-0x0000000074BE1000-0x0000000074BE3000-memory.dmp

Filesize
8KB

Download
memory/616-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/992-57-0x0000000000000000-mapping.dmp

Download
memory/1040-74-0x0000000000000000-mapping.dmp

Download
memory/1140-63-0x0000000000000000-mapping.dmp

Download
memory/1300-55-0x0000000000000000-mapping.dmp

Download
memory/1316-59-0x0000000000000000-mapping.dmp

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1680-73-0x0000000000000000-mapping.dmp

Download
memory/1740-66-0x0000000000000000-mapping.dmp

Download
memory/1888-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads