Analysis
-
max time kernel
155s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:09
Static task
static1
Behavioral task
behavioral1
Sample
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
Resource
win7-20221111-en
General
-
Target
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe
-
Size
27KB
-
MD5
0d3cdf4fc3630c14d0facb4ffdd087e4
-
SHA1
b71d4a9d78c5c4094e0de3ab1271d32fa1ca6008
-
SHA256
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd
-
SHA512
10de3fe172457367f607222905c62189000ca4d1677cb14393f581452fd35ed513b2df1c0f3e66321e889cdf7a2416fe6da1cd7d66e16c5a2e1d85dd697acbd6
-
SSDEEP
384:t+0/29+Uh4GgKKFk7JF5qLgnM4S73TGD0VGkWntTNHLyzPnkQanGY4RpWmLugMPZ:QexKHObTGvtTNUnkfz47mPZ
Malware Config
Signatures
-
Possible privilege escalation attempt 6 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 616 takeown.exe 4380 icacls.exe 736 takeown.exe 1232 icacls.exe 2744 takeown.exe 3540 icacls.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 4380 icacls.exe 736 takeown.exe 1232 icacls.exe 2744 takeown.exe 3540 icacls.exe 616 takeown.exe -
Drops file in System32 directory 7 IoCs
Processes:
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\123272.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe File created C:\Windows\SysWOW64\dllcache\iphlpapi.dll c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe File opened for modification C:\Windows\SysWOW64\1238D4E.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe File created C:\Windows\SysWOW64\dllcache\rasadhlp.dll c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe File opened for modification C:\Windows\SysWOW64\1239454.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe File created C:\Windows\SysWOW64\dllcache\midimap.dll c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe File created C:\Windows\SysWOW64\sxload.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe -
Drops file in Program Files directory 1 IoCs
Processes:
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exedescription ioc process File created C:\Program Files (x86)\Common Files\sxf7.tmp c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5052 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exepid process 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe Token: SeTakeOwnershipPrivilege 2744 takeown.exe Token: SeDebugPrivilege 5052 taskkill.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exepid process 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2284 wrote to memory of 4208 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 4208 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 4208 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 4208 wrote to memory of 3660 4208 cmd.exe cmd.exe PID 4208 wrote to memory of 3660 4208 cmd.exe cmd.exe PID 4208 wrote to memory of 3660 4208 cmd.exe cmd.exe PID 3660 wrote to memory of 2744 3660 cmd.exe takeown.exe PID 3660 wrote to memory of 2744 3660 cmd.exe takeown.exe PID 3660 wrote to memory of 2744 3660 cmd.exe takeown.exe PID 4208 wrote to memory of 3540 4208 cmd.exe icacls.exe PID 4208 wrote to memory of 3540 4208 cmd.exe icacls.exe PID 4208 wrote to memory of 3540 4208 cmd.exe icacls.exe PID 2284 wrote to memory of 3824 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 3824 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 3824 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 3824 wrote to memory of 1904 3824 cmd.exe cmd.exe PID 3824 wrote to memory of 1904 3824 cmd.exe cmd.exe PID 3824 wrote to memory of 1904 3824 cmd.exe cmd.exe PID 1904 wrote to memory of 616 1904 cmd.exe takeown.exe PID 1904 wrote to memory of 616 1904 cmd.exe takeown.exe PID 1904 wrote to memory of 616 1904 cmd.exe takeown.exe PID 3824 wrote to memory of 4380 3824 cmd.exe icacls.exe PID 3824 wrote to memory of 4380 3824 cmd.exe icacls.exe PID 3824 wrote to memory of 4380 3824 cmd.exe icacls.exe PID 2284 wrote to memory of 3156 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 3156 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 3156 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 3156 wrote to memory of 4912 3156 cmd.exe cmd.exe PID 3156 wrote to memory of 4912 3156 cmd.exe cmd.exe PID 3156 wrote to memory of 4912 3156 cmd.exe cmd.exe PID 4912 wrote to memory of 736 4912 cmd.exe takeown.exe PID 4912 wrote to memory of 736 4912 cmd.exe takeown.exe PID 4912 wrote to memory of 736 4912 cmd.exe takeown.exe PID 3156 wrote to memory of 1232 3156 cmd.exe icacls.exe PID 3156 wrote to memory of 1232 3156 cmd.exe icacls.exe PID 3156 wrote to memory of 1232 3156 cmd.exe icacls.exe PID 2284 wrote to memory of 5052 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe taskkill.exe PID 2284 wrote to memory of 5052 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe taskkill.exe PID 2284 wrote to memory of 5052 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe taskkill.exe PID 2284 wrote to memory of 3236 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 3236 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe PID 2284 wrote to memory of 3236 2284 c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe"C:\Users\Admin\AppData\Local\Temp\c6b3b193937267da410e283e437520f61596058fe432eb23b30d57f978c017cd.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2744 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:616 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4380 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 2.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f "C:\Windows\System32"3⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32"4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:736 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Windows\System32" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "GamePlaza.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1.bat2⤵PID:3236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.batFilesize
251B
MD527671de916ba9e256c846654cd26357d
SHA1a6df5f9271d13bf3c4968163f1435822e8a053f6
SHA2562e4f0b8c4b4b67b51f7b3d6bc5d4aeba5b6f7e1066c1aa079a55b77397ba5352
SHA512b2ed5a225555f621f14c861c9c6c23afd92e77fedf5b7d8ac976d4269bc5e71e6829bf869790c3c39f733869fcb504a3bbeec63b61428412116ee8ca96d24192
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Users\Admin\AppData\Local\Temp\2.batFilesize
110B
MD512e768a105dc0d143a5f5becdd12167a
SHA18f82f11fc9b8921b1a80eb23b600d243a8756766
SHA2560f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056
SHA5123ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77
-
C:\Windows\SysWOW64\dllcache\iphlpapi.dllFilesize
192KB
MD5f6d9b897d17f7d7f3437e375aec0479c
SHA10fa5161d13e665968fe16a41721d85aa625a55bf
SHA256b86007da2336816e6ac622e9a8c075b309d0db99d7424dbe88c7a82cfc159a4c
SHA5127dbaac6ee57088afe22ad4c31bcb6b34119b26eb7cbccb096ee0b6dcaa7e1e84c50841f8b46f389672e7b6c2ab3d6064453aec9d205afdbd23589976b888ca39
-
C:\Windows\SysWOW64\dllcache\rasadhlp.dllFilesize
12KB
MD5867c48a347666c56321d58f619355897
SHA17ddb891077ab743a8c921650b804042982793aaf
SHA25629f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95
SHA5126f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881
-
C:\Windows\SysWOW64\iphlpapi.dllFilesize
192KB
MD5f6d9b897d17f7d7f3437e375aec0479c
SHA10fa5161d13e665968fe16a41721d85aa625a55bf
SHA256b86007da2336816e6ac622e9a8c075b309d0db99d7424dbe88c7a82cfc159a4c
SHA5127dbaac6ee57088afe22ad4c31bcb6b34119b26eb7cbccb096ee0b6dcaa7e1e84c50841f8b46f389672e7b6c2ab3d6064453aec9d205afdbd23589976b888ca39
-
C:\Windows\SysWOW64\rasadhlp.dllFilesize
12KB
MD5867c48a347666c56321d58f619355897
SHA17ddb891077ab743a8c921650b804042982793aaf
SHA25629f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95
SHA5126f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881
-
memory/616-140-0x0000000000000000-mapping.dmp
-
memory/736-147-0x0000000000000000-mapping.dmp
-
memory/1232-148-0x0000000000000000-mapping.dmp
-
memory/1904-139-0x0000000000000000-mapping.dmp
-
memory/2744-135-0x0000000000000000-mapping.dmp
-
memory/3156-144-0x0000000000000000-mapping.dmp
-
memory/3236-152-0x0000000000000000-mapping.dmp
-
memory/3540-136-0x0000000000000000-mapping.dmp
-
memory/3660-134-0x0000000000000000-mapping.dmp
-
memory/3824-137-0x0000000000000000-mapping.dmp
-
memory/4208-132-0x0000000000000000-mapping.dmp
-
memory/4380-141-0x0000000000000000-mapping.dmp
-
memory/4912-146-0x0000000000000000-mapping.dmp
-
memory/5052-151-0x0000000000000000-mapping.dmp