20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087

General

Target

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
Size

28KB
MD5

4fedcbbb748b46dfcc5bf5cd3b98ee97
SHA1

1eb7e3a122e3aec420d022cf67d3b4c80073a008
SHA256

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087
SHA512

7a29b57ba377509acc3365f1f8f0107d56ebe6cf530c291045436c04f579f80e5345e186a49ca9669c8a9210c8cf2a564d06daaed183a8a94ba12128aa67d997
SSDEEP

768:XwcJmwfC23/wVC6VH9kUwV/cDNyuROTXOcFH8C1:Xq23/iC6VH9k6g6O7HFc2

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4160 takeown.exe
740 icacls.exe
4872 takeown.exe
4976 icacls.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4872 takeown.exe
4976 icacls.exe
4160 takeown.exe
740 icacls.exe

pid	process
4160	takeown.exe
740	icacls.exe
4872	takeown.exe
4976	icacls.exe

pid	process
4872	takeown.exe
4976	icacls.exe
4160	takeown.exe
740	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1239119.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File opened for modification	C:\Windows\SysWOW64\123A250.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\sx998.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
File created	C:\Windows\SysWOW64\sxload.tmp	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1972 taskkill.exe

pid	process
1972	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

pid	process
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
Token: SeTakeOwnershipPrivilege	4872	takeown.exe
Token: SeDebugPrivilege	1972	taskkill.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

pid	process
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1572 wrote to memory of 4488	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1572 wrote to memory of 4488	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1572 wrote to memory of 4488	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 4488 wrote to memory of 5048	4488	cmd.exe	cmd.exe
PID 4488 wrote to memory of 5048	4488	cmd.exe	cmd.exe
PID 4488 wrote to memory of 5048	4488	cmd.exe	cmd.exe
PID 5048 wrote to memory of 4872	5048	cmd.exe	takeown.exe
PID 5048 wrote to memory of 4872	5048	cmd.exe	takeown.exe
PID 5048 wrote to memory of 4872	5048	cmd.exe	takeown.exe
PID 4488 wrote to memory of 4976	4488	cmd.exe	icacls.exe
PID 4488 wrote to memory of 4976	4488	cmd.exe	icacls.exe
PID 4488 wrote to memory of 4976	4488	cmd.exe	icacls.exe
PID 1572 wrote to memory of 4660	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1572 wrote to memory of 4660	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1572 wrote to memory of 4660	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 4660 wrote to memory of 4296	4660	cmd.exe	cmd.exe
PID 4660 wrote to memory of 4296	4660	cmd.exe	cmd.exe
PID 4660 wrote to memory of 4296	4660	cmd.exe	cmd.exe
PID 4296 wrote to memory of 4160	4296	cmd.exe	takeown.exe
PID 4296 wrote to memory of 4160	4296	cmd.exe	takeown.exe
PID 4296 wrote to memory of 4160	4296	cmd.exe	takeown.exe
PID 4660 wrote to memory of 740	4660	cmd.exe	icacls.exe
PID 4660 wrote to memory of 740	4660	cmd.exe	icacls.exe
PID 4660 wrote to memory of 740	4660	cmd.exe	icacls.exe
PID 1572 wrote to memory of 1972	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 1572 wrote to memory of 1972	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 1572 wrote to memory of 1972	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	taskkill.exe
PID 1572 wrote to memory of 116	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1572 wrote to memory of 116	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe
PID 1572 wrote to memory of 116	1572	20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe
"C:\Users\Admin\AppData\Local\Temp\20a3abda955d8b7c3b7f3b35785ca9d6d40105c2ed39c3185f445ca29dc24087.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
3⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4160

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
2⤵
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
251B

MD5
d38d93171929936481c892b524bc1fb6

SHA1
bcd200e36763bb771a270873c9499a88e2abc9ff

SHA256
3cd25f9ebb955e969eed84e1a4e9981da975e09fb1dd4bec061830d92d3fe8c2

SHA512
809671e3d7ce62846c21fca44fb8f57ace13159914cc368ceb402da5a7e6aa6721b2e363349a7d1b386943b0953b1215c45160ffecef4621357b16038b7c74ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Windows\SysWOW64\123A250.tmp
Filesize
18KB

MD5
814f3fdc176564b824edf9b9f75e2f9b

SHA1
4a81b2811640d6f6625d76d38e5cdc51dd9ef780

SHA256
1b2622cd8dd0633317fabbfb0abf2c16b2d1980e19f6f7f0d638cecf07e5549f

SHA512
2b1ba1667a36779fe5d247a537c5fd603c80fa92acb81d9ac9b5a45f521bc84c236400475febf72302e2e27085e7f1d1f4008673fab7e5a72aacd3c7a90f3a58

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
d504739e761a70015630c2a634ddd79f

SHA1
5a1a9b3557fa9a1702135de551196b9cbb87c74b

SHA256
deeaca4ad25b67448b77588cf3ef4a5929cd9b8e0ebabdee994b1cc64e408208

SHA512
4d956723a6578c397f9ff05810c9d8c9c33dacb5d295d4db2772462f0127d2fd70a52795e27a5bfce8337a6adfae6fc3f358241cbaa6c8625e9f2c75f2f5b8fd

Download Submit
memory/116-146-0x0000000000000000-mapping.dmp

Download
memory/740-141-0x0000000000000000-mapping.dmp

Download
memory/1972-145-0x0000000000000000-mapping.dmp

Download
memory/4160-140-0x0000000000000000-mapping.dmp

Download
memory/4296-139-0x0000000000000000-mapping.dmp

Download
memory/4488-132-0x0000000000000000-mapping.dmp

Download
memory/4660-137-0x0000000000000000-mapping.dmp

Download
memory/4872-135-0x0000000000000000-mapping.dmp

Download
memory/4976-136-0x0000000000000000-mapping.dmp

Download
memory/5048-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads