bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434

General

Target

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
Size

72KB
MD5

052e7172222c2841065c70522e16b826
SHA1

effe4fbb1334a8789b19ef13f751b85ba1dd0fe2
SHA256

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434
SHA512

683be9af7cd91e591e6babc25abf621e66aca713c9218860eed2f47bfcab8be62909ebddb35a12176f02fb95a3f66dd623bde003bf804763870a750a2dbf80b6
SSDEEP

768:hKEI1ku7ai95/KIDDIm/liKT5jJ9C/RE8ICXFxiGXq1B:hKEI1k/gDDIm/li29eG8PAGXqH

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1964 takeown.exe
1560 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

324 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

324 cmd.exe
324 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1964 takeown.exe
1560 icacls.exe

pid	process
1964	takeown.exe
1560	icacls.exe

pid	process
324	cmd.exe

pid	process
324	cmd.exe
324	cmd.exe

pid	process
1964	takeown.exe
1560	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ole.dll	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
File created	C:\Windows\SysWOW64\imm32.dll	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

pid process

748 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
Token: SeTakeOwnershipPrivilege	1964	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

pid	process
748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

description	pid	process	target process
PID 748 wrote to memory of 1964	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 748 wrote to memory of 1964	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 748 wrote to memory of 1964	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 748 wrote to memory of 1964	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 748 wrote to memory of 1560	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 748 wrote to memory of 1560	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 748 wrote to memory of 1560	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 748 wrote to memory of 1560	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 748 wrote to memory of 324	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe
PID 748 wrote to memory of 324	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe
PID 748 wrote to memory of 324	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe
PID 748 wrote to memory of 324	748	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
"C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\del6c5513.bat
2⤵
- Deletes itself
- Loads dropped DLL
PID:324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IMM32.DLL
Filesize
121KB

MD5
9b82c81541d533e615e13003d5b0ab10

SHA1
7fd3920aee3ea0c704a389f07ea3b0eb76902b65

SHA256
ab3083cf2670c4c7b1bcffb8b514dc20087bcee3c854bfdfab1dd962d1abae7c

SHA512
67f94e93d4c8b5a9534e07b1491ccccfbfa22262319536876d9ac8461ed75f14f87fe57a8bd58584314594fadb156ee876cee3cd6cfd0edfe43548b4e1fb7ecb

Download Submit
C:\Windows\SysWOW64\ole.dll
Filesize
44KB

MD5
afe481b25a448f77f182132f282f8474

SHA1
738a01634561bf3b76b406c28edcf43aa339f027

SHA256
8eccdc609eb57be9a3031161c9c7a7b2943aa63c9781d5bb95613f70ff12a55d

SHA512
584e675bda63536fefbb5f09ff952d0a540908cbd0675abd4307db4c2d3e83a46a1a02847483c1ec9594bf0542bc958cf830481a52a5ddf90ea25ed855e28e4a

Download Submit
\??\c:\del6c5513.bat
Filesize
270B

MD5
57e64b0f92a88843ba15e1d49256e7c2

SHA1
0eb8e12d228fb88196f5d589193b5334007f93e3

SHA256
0e97e914e80c7cbc7115af70e7cba45c313fd66fe272fda27fe709b80c9eb303

SHA512
a0b75c03280be4d811cade554f18829e2f8113c29dd4d05f251479148fd49137de7d16d098fc5ebdd58725da8d3cf5e9d61cd8e18755230d89e2ca0b967316cc

Download Submit
\Windows\SysWOW64\imm32.dll
Filesize
121KB

MD5
9b82c81541d533e615e13003d5b0ab10

SHA1
7fd3920aee3ea0c704a389f07ea3b0eb76902b65

SHA256
ab3083cf2670c4c7b1bcffb8b514dc20087bcee3c854bfdfab1dd962d1abae7c

SHA512
67f94e93d4c8b5a9534e07b1491ccccfbfa22262319536876d9ac8461ed75f14f87fe57a8bd58584314594fadb156ee876cee3cd6cfd0edfe43548b4e1fb7ecb

Download Submit
\Windows\SysWOW64\ole.dll
Filesize
44KB

MD5
afe481b25a448f77f182132f282f8474

SHA1
738a01634561bf3b76b406c28edcf43aa339f027

SHA256
8eccdc609eb57be9a3031161c9c7a7b2943aa63c9781d5bb95613f70ff12a55d

SHA512
584e675bda63536fefbb5f09ff952d0a540908cbd0675abd4307db4c2d3e83a46a1a02847483c1ec9594bf0542bc958cf830481a52a5ddf90ea25ed855e28e4a

Download Submit
memory/324-56-0x0000000000000000-mapping.dmp

Download
memory/324-62-0x0000000074E00000-0x0000000074E70000-memory.dmp

Filesize
448KB

Download
memory/1560-55-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads