Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 10:48
Static task
static1
Behavioral task
behavioral1
Sample
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
Resource
win7-20221111-en
General
-
Target
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
-
Size
28KB
-
MD5
4fedcbbb748b46dfcc5bf5cd3b98ee97
-
SHA1
1eb7e3a122e3aec420d022cf67d3b4c80073a008
-
SHA256
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087
-
SHA512
7a29b57ba377509acc3365f1f8f0107d56ebe6cf530c291045436c04f579f80e5345e186a49ca9669c8a9210c8cf2a564d06daaed183a8a94ba12128aa67d997
-
SSDEEP
768:XwcJmwfC23/wVC6VH9kUwV/cDNyuROTXOcFH8C1:Xq23/iC6VH9k6g6O7HFc2
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1500 takeown.exe 1316 icacls.exe 1740 takeown.exe 544 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1040 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1500 takeown.exe 1316 icacls.exe 1740 takeown.exe 544 icacls.exe -
Drops file in System32 directory 8 IoCs
Processes:
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exedescription ioc process File opened for modification C:\Windows\SysWOW64\1231D03.tmp 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File opened for modification C:\Windows\syswow64\1231D03.tmp 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File opened for modification C:\Windows\SysWOW64\1232A4D.tmp 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File opened for modification C:\Windows\syswow64\1232A4D.tmp 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File created C:\Windows\syswow64\sx998.tmp 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe File created C:\Windows\SysWOW64\sxload.tmp 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1680 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exepid process 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe Token: SeTakeOwnershipPrivilege 1500 takeown.exe Token: SeDebugPrivilege 1680 taskkill.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exepid process 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.execmd.execmd.execmd.execmd.exedescription pid process target process PID 616 wrote to memory of 1300 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1300 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1300 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1300 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 1300 wrote to memory of 992 1300 cmd.exe cmd.exe PID 1300 wrote to memory of 992 1300 cmd.exe cmd.exe PID 1300 wrote to memory of 992 1300 cmd.exe cmd.exe PID 1300 wrote to memory of 992 1300 cmd.exe cmd.exe PID 992 wrote to memory of 1500 992 cmd.exe takeown.exe PID 992 wrote to memory of 1500 992 cmd.exe takeown.exe PID 992 wrote to memory of 1500 992 cmd.exe takeown.exe PID 992 wrote to memory of 1500 992 cmd.exe takeown.exe PID 1300 wrote to memory of 1316 1300 cmd.exe icacls.exe PID 1300 wrote to memory of 1316 1300 cmd.exe icacls.exe PID 1300 wrote to memory of 1316 1300 cmd.exe icacls.exe PID 1300 wrote to memory of 1316 1300 cmd.exe icacls.exe PID 616 wrote to memory of 1140 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1140 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1140 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1140 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 1140 wrote to memory of 1888 1140 cmd.exe cmd.exe PID 1140 wrote to memory of 1888 1140 cmd.exe cmd.exe PID 1140 wrote to memory of 1888 1140 cmd.exe cmd.exe PID 1140 wrote to memory of 1888 1140 cmd.exe cmd.exe PID 1888 wrote to memory of 1740 1888 cmd.exe takeown.exe PID 1888 wrote to memory of 1740 1888 cmd.exe takeown.exe PID 1888 wrote to memory of 1740 1888 cmd.exe takeown.exe PID 1888 wrote to memory of 1740 1888 cmd.exe takeown.exe PID 1140 wrote to memory of 544 1140 cmd.exe icacls.exe PID 1140 wrote to memory of 544 1140 cmd.exe icacls.exe PID 1140 wrote to memory of 544 1140 cmd.exe icacls.exe PID 1140 wrote to memory of 544 1140 cmd.exe icacls.exe PID 616 wrote to memory of 1680 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe taskkill.exe PID 616 wrote to memory of 1680 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe taskkill.exe PID 616 wrote to memory of 1680 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe taskkill.exe PID 616 wrote to memory of 1680 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe taskkill.exe PID 616 wrote to memory of 1040 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1040 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1040 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe PID 616 wrote to memory of 1040 616 20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe"C:\Users\Admin\AppData\Local\Temp\20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\syswow64"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\syswow64"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\syswow64" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\syswow64"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\syswow64"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\syswow64" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c 1.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD5d38d93171929936481c892b524bc1fb6
SHA1bcd200e36763bb771a270873c9499a88e2abc9ff
SHA2563cd25f9ebb955e969eed84e1a4e9981da975e09fb1dd4bec061830d92d3fe8c2
SHA512809671e3d7ce62846c21fca44fb8f57ace13159914cc368ceb402da5a7e6aa6721b2e363349a7d1b386943b0953b1215c45160ffecef4621357b16038b7c74ec
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD5521e37256443e6b3f2281f217476bf79
SHA181f0e2b65605f070782cbe241569c6b9a25bb9dc
SHA25679ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f
SHA51223096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD5521e37256443e6b3f2281f217476bf79
SHA181f0e2b65605f070782cbe241569c6b9a25bb9dc
SHA25679ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f
SHA51223096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025
-
C:\Windows\SysWOW64\dllcache\rasadhlp.dllFilesize
11KB
MD5f87a749e97c7a8c63406321aa604498f
SHA15da6a31742558d3f5e9ccde10304012230d2e0a7
SHA256c54a7f4a32e9f6d19dbd80a7a52ea54f689956ee25e42bb6a168dc0ca3dd5946
SHA51273fad4c4f9fb08a2a6ecc82695f18266600ad954ac50056c0db83c2dd3c5171c64e33bcced26ba06c9994c172d7c4c6fd979cd9d795e107f0bc28baa3becc97b
-
C:\Windows\SysWOW64\rasadhlp.dllFilesize
11KB
MD5f87a749e97c7a8c63406321aa604498f
SHA15da6a31742558d3f5e9ccde10304012230d2e0a7
SHA256c54a7f4a32e9f6d19dbd80a7a52ea54f689956ee25e42bb6a168dc0ca3dd5946
SHA51273fad4c4f9fb08a2a6ecc82695f18266600ad954ac50056c0db83c2dd3c5171c64e33bcced26ba06c9994c172d7c4c6fd979cd9d795e107f0bc28baa3becc97b
-
memory/544-67-0x0000000000000000-mapping.dmp
-
memory/616-60-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/616-61-0x0000000074BE1000-0x0000000074BE3000-memory.dmpFilesize
8KB
-
memory/616-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/992-57-0x0000000000000000-mapping.dmp
-
memory/1040-74-0x0000000000000000-mapping.dmp
-
memory/1140-63-0x0000000000000000-mapping.dmp
-
memory/1300-55-0x0000000000000000-mapping.dmp
-
memory/1316-59-0x0000000000000000-mapping.dmp
-
memory/1500-58-0x0000000000000000-mapping.dmp
-
memory/1680-73-0x0000000000000000-mapping.dmp
-
memory/1740-66-0x0000000000000000-mapping.dmp
-
memory/1888-65-0x0000000000000000-mapping.dmp