25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407

General

Target

25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
Size

888KB
MD5

02e1fc62335f482e4c2bd663e206736a
SHA1

83c2a8c79f0745f977dab0ae1c158292217f94d0
SHA256

25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407
SHA512

18ba896dc20d86c7e78dc44365391a17457b39b3ec424f99df4f72a5ec536ab7f1fa222f036c0ddb8cda89e5d36bcac73c4325f75c9b0e0a7f079e20e5d8fc8b

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exe

pid process

2680 takeown.exe
3776 takeown.exe
64 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2680	takeown.exe
3776	takeown.exe
64	takeown.exe

Drops file in System32 directory 5 IoCs

Processes:

25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
File created	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\User\Registry.pol	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
File created	C:\Windows\SysWOW64\GroupPolicy\User\Registry.pol	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

Drops file in Windows directory 1 IoCs

Processes:

25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

description ioc process

File opened for modification C:\Windows\SysWOW64 25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3868	1588	WerFault.exe	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
2700	1588	WerFault.exe	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
2680	1588	WerFault.exe	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
4020	1588	WerFault.exe	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
3096	1588	WerFault.exe	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
1540	1588	WerFault.exe	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

pid	process
1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe

description	pid	process	target process
PID 1588 wrote to memory of 1276	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 1276	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 1276	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 2560	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	svchost.exe
PID 1588 wrote to memory of 2560	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	svchost.exe
PID 1588 wrote to memory of 2560	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	svchost.exe
PID 1588 wrote to memory of 2680	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	takeown.exe
PID 1588 wrote to memory of 2680	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	takeown.exe
PID 1588 wrote to memory of 2680	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	takeown.exe
PID 1588 wrote to memory of 2736	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 2736	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 2736	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 4020	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 4020	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe
PID 1588 wrote to memory of 4020	1588	25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe
"C:\Users\Admin\AppData\Local\Temp\25f2f5129c115a80eb14d4688ee50809402c74c840466b6c42a1c651d299c407.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 744
2⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 752
2⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 812
2⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 808
2⤵
- Program crash
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1080
2⤵
- Program crash
PID:3096

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\System32\GroupPolicy /t /e /g Everyone:f
2⤵
PID:1276

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\System32\GroupPolicy /t /e /g все:f
2⤵
PID:2560

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /F C:\Windows\System32\GroupPolicy
2⤵
- Modifies file permissions
PID:2680

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\SysWOW64\GroupPolicy /t /e /g все:f
2⤵
PID:4020

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /F C:\Windows\SysWOW64\GroupPolicy
2⤵
- Modifies file permissions
PID:3776

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\Sysnative\GroupPolicy /t /e /g Everyone:f
2⤵
PID:2576

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /F C:\Windows\Sysnative\GroupPolicy
2⤵
- Modifies file permissions
PID:64

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\Sysnative\GroupPolicy /t /e /g все:f
2⤵
PID:1316

C:\Windows\SysWOW64\gpupdate.exe
C:\Windows\System32\gpupdate.exe /force
2⤵
PID:3100

C:\Windows\SysWOW64\cacls.exe
C:\Windows\System32\cacls.exe C:\Windows\SysWOW64\GroupPolicy /t /e /g Everyone:f
2⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 768
2⤵
- Program crash
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1588 -ip 1588
1⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1588 -ip 1588
1⤵
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1588 -ip 1588
1⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1588 -ip 1588
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1588 -ip 1588
1⤵
PID:532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3956

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1588 -ip 1588
1⤵
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GroupPolicy\User\Registry.pol
Filesize
472B

MD5
62ce4006ac00215377752dfaf25e20ae

SHA1
7e5b3b70613aa4dc1e71431e0855a47c7ee75cd2

SHA256
1bb0208258be631a21cfed8166a49ee9467dfba8962a2f85361ce365e48f6962

SHA512
d79b826cd909ec15128bfe898064854ca043171db3e55b961e0a55754567da62bc57eb9cc2a994b2e0c14b3be49707aff080df886d303de229643da47acbdaeb

Download Submit
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Filesize
155B

MD5
b18af26ec9d74dd4bfd14fd79a655c1d

SHA1
df4c28816bc845a34d434347c10c6d14fcafdd01

SHA256
ea62b60ea16af53841f2088458910586186bd3130d6dad443a27906f7baee7c9

SHA512
bc64d120a55e93a17e81349a5a9856556612a44673ae9ae8589a66638e25685b9b70608ce23b19e0919797b04da40dbca5cdc87c7f6eb1bfb93307dc4bc74ff2

Download Submit
memory/64-142-0x0000000000000000-mapping.dmp

Download
memory/1276-132-0x0000000000000000-mapping.dmp

Download
memory/1316-141-0x0000000000000000-mapping.dmp

Download
memory/1588-131-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1588-130-0x0000000002170000-0x00000000021B3000-memory.dmp

Filesize
268KB

Download
memory/2560-133-0x0000000000000000-mapping.dmp

Download
memory/2576-140-0x0000000000000000-mapping.dmp

Download
memory/2680-134-0x0000000000000000-mapping.dmp

Download
memory/2736-135-0x0000000000000000-mapping.dmp

Download
memory/3100-143-0x0000000000000000-mapping.dmp

Download
memory/3776-139-0x0000000000000000-mapping.dmp

Download
memory/4020-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads