Analysis
-
max time kernel
37s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-09-2022 22:44
Static task
static1
Behavioral task
behavioral1
Sample
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
Resource
win7-20220812-en
General
-
Target
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
-
Size
72KB
-
MD5
052e7172222c2841065c70522e16b826
-
SHA1
effe4fbb1334a8789b19ef13f751b85ba1dd0fe2
-
SHA256
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434
-
SHA512
683be9af7cd91e591e6babc25abf621e66aca713c9218860eed2f47bfcab8be62909ebddb35a12176f02fb95a3f66dd623bde003bf804763870a750a2dbf80b6
-
SSDEEP
768:hKEI1ku7ai95/KIDDIm/liKT5jJ9C/RE8ICXFxiGXq1B:hKEI1k/gDDIm/li29eG8PAGXqH
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1964 takeown.exe 1560 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 324 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 324 cmd.exe 324 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1964 takeown.exe 1560 icacls.exe -
Drops file in System32 directory 4 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exedescription ioc process File created C:\Windows\SysWOW64\ole.dll bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe File created C:\Windows\SysWOW64\imm32.dll.log bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe File opened for modification C:\Windows\SysWOW64\imm32.dll.log bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe File created C:\Windows\SysWOW64\imm32.dll bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exepid process 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exetakeown.exedescription pid process Token: SeDebugPrivilege 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe Token: SeTakeOwnershipPrivilege 1964 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exepid process 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exedescription pid process target process PID 748 wrote to memory of 1964 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 748 wrote to memory of 1964 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 748 wrote to memory of 1964 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 748 wrote to memory of 1964 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 748 wrote to memory of 1560 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 748 wrote to memory of 1560 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 748 wrote to memory of 1560 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 748 wrote to memory of 1560 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 748 wrote to memory of 324 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe PID 748 wrote to memory of 324 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe PID 748 wrote to memory of 324 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe PID 748 wrote to memory of 324 748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe"C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\imm32.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\imm32.dll /grant administrators:f2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\del6c5513.bat2⤵
- Deletes itself
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\IMM32.DLLFilesize
121KB
MD59b82c81541d533e615e13003d5b0ab10
SHA17fd3920aee3ea0c704a389f07ea3b0eb76902b65
SHA256ab3083cf2670c4c7b1bcffb8b514dc20087bcee3c854bfdfab1dd962d1abae7c
SHA51267f94e93d4c8b5a9534e07b1491ccccfbfa22262319536876d9ac8461ed75f14f87fe57a8bd58584314594fadb156ee876cee3cd6cfd0edfe43548b4e1fb7ecb
-
C:\Windows\SysWOW64\ole.dllFilesize
44KB
MD5afe481b25a448f77f182132f282f8474
SHA1738a01634561bf3b76b406c28edcf43aa339f027
SHA2568eccdc609eb57be9a3031161c9c7a7b2943aa63c9781d5bb95613f70ff12a55d
SHA512584e675bda63536fefbb5f09ff952d0a540908cbd0675abd4307db4c2d3e83a46a1a02847483c1ec9594bf0542bc958cf830481a52a5ddf90ea25ed855e28e4a
-
\??\c:\del6c5513.batFilesize
270B
MD557e64b0f92a88843ba15e1d49256e7c2
SHA10eb8e12d228fb88196f5d589193b5334007f93e3
SHA2560e97e914e80c7cbc7115af70e7cba45c313fd66fe272fda27fe709b80c9eb303
SHA512a0b75c03280be4d811cade554f18829e2f8113c29dd4d05f251479148fd49137de7d16d098fc5ebdd58725da8d3cf5e9d61cd8e18755230d89e2ca0b967316cc
-
\Windows\SysWOW64\imm32.dllFilesize
121KB
MD59b82c81541d533e615e13003d5b0ab10
SHA17fd3920aee3ea0c704a389f07ea3b0eb76902b65
SHA256ab3083cf2670c4c7b1bcffb8b514dc20087bcee3c854bfdfab1dd962d1abae7c
SHA51267f94e93d4c8b5a9534e07b1491ccccfbfa22262319536876d9ac8461ed75f14f87fe57a8bd58584314594fadb156ee876cee3cd6cfd0edfe43548b4e1fb7ecb
-
\Windows\SysWOW64\ole.dllFilesize
44KB
MD5afe481b25a448f77f182132f282f8474
SHA1738a01634561bf3b76b406c28edcf43aa339f027
SHA2568eccdc609eb57be9a3031161c9c7a7b2943aa63c9781d5bb95613f70ff12a55d
SHA512584e675bda63536fefbb5f09ff952d0a540908cbd0675abd4307db4c2d3e83a46a1a02847483c1ec9594bf0542bc958cf830481a52a5ddf90ea25ed855e28e4a
-
memory/324-56-0x0000000000000000-mapping.dmp
-
memory/324-62-0x0000000074E00000-0x0000000074E70000-memory.dmpFilesize
448KB
-
memory/1560-55-0x0000000000000000-mapping.dmp
-
memory/1964-54-0x0000000000000000-mapping.dmp