Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18-09-2022 22:44
Static task
static1
Behavioral task
behavioral1
Sample
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
Resource
win7-20220812-en
General
-
Target
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
-
Size
72KB
-
MD5
052e7172222c2841065c70522e16b826
-
SHA1
effe4fbb1334a8789b19ef13f751b85ba1dd0fe2
-
SHA256
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434
-
SHA512
683be9af7cd91e591e6babc25abf621e66aca713c9218860eed2f47bfcab8be62909ebddb35a12176f02fb95a3f66dd623bde003bf804763870a750a2dbf80b6
-
SSDEEP
768:hKEI1ku7ai95/KIDDIm/liKT5jJ9C/RE8ICXFxiGXq1B:hKEI1k/gDDIm/li29eG8PAGXqH
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3708 takeown.exe 4772 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3708 takeown.exe 4772 icacls.exe -
Drops file in System32 directory 4 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exedescription ioc process File created C:\Windows\SysWOW64\ole.dll bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe File created C:\Windows\SysWOW64\imm32.dll.log bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe File opened for modification C:\Windows\SysWOW64\imm32.dll.log bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe File created C:\Windows\SysWOW64\imm32.dll bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exepid process 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exetakeown.exedescription pid process Token: SeDebugPrivilege 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe Token: SeTakeOwnershipPrivilege 3708 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exepid process 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exedescription pid process target process PID 4636 wrote to memory of 3708 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 4636 wrote to memory of 3708 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 4636 wrote to memory of 3708 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe takeown.exe PID 4636 wrote to memory of 4772 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 4636 wrote to memory of 4772 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 4636 wrote to memory of 4772 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe icacls.exe PID 4636 wrote to memory of 4920 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe PID 4636 wrote to memory of 4920 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe PID 4636 wrote to memory of 4920 4636 bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe"C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\imm32.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\imm32.dll /grant administrators:f2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\dele568264.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\dele568264.batFilesize
271B
MD570f4c7a45c27ee50d3cca028fe9c3d60
SHA133925b836fb075a44883ccfaede403dee1d473da
SHA256708966135d117386eb42b90e18f400bfabad839beeaedaaae3e91cef383c3fce
SHA51223cef8d4507cc4d3234d6446cd7fa58e8d9020a074c03e531c382b25531e176fd86b0bd94728f819bcdf786c4354e7c61554d6541cc8fe3e2705f2bd2fc90109
-
memory/3708-132-0x0000000000000000-mapping.dmp
-
memory/4772-133-0x0000000000000000-mapping.dmp
-
memory/4920-134-0x0000000000000000-mapping.dmp