bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
Size

72KB
MD5

052e7172222c2841065c70522e16b826
SHA1

effe4fbb1334a8789b19ef13f751b85ba1dd0fe2
SHA256

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434
SHA512

683be9af7cd91e591e6babc25abf621e66aca713c9218860eed2f47bfcab8be62909ebddb35a12176f02fb95a3f66dd623bde003bf804763870a750a2dbf80b6
SSDEEP

768:hKEI1ku7ai95/KIDDIm/liKT5jJ9C/RE8ICXFxiGXq1B:hKEI1k/gDDIm/li29eG8PAGXqH

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3708 takeown.exe
4772 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3708 takeown.exe
4772 icacls.exe

pid	process
3708	takeown.exe
4772	icacls.exe

pid	process
3708	takeown.exe
4772	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ole.dll	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
File created	C:\Windows\SysWOW64\imm32.dll	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

pid	process
4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
Token: SeTakeOwnershipPrivilege	3708	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

pid	process
4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe

description	pid	process	target process
PID 4636 wrote to memory of 3708	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 4636 wrote to memory of 3708	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 4636 wrote to memory of 3708	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	takeown.exe
PID 4636 wrote to memory of 4772	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 4636 wrote to memory of 4772	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 4636 wrote to memory of 4772	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	icacls.exe
PID 4636 wrote to memory of 4920	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe
PID 4636 wrote to memory of 4920	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe
PID 4636 wrote to memory of 4920	4636	bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe
"C:\Users\Admin\AppData\Local\Temp\bd1460158f28299155929a498c0bd31e592a0d51ce69d0d3b5df9693d6e96434.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dele568264.bat
2⤵
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\dele568264.bat
Filesize
271B

MD5
70f4c7a45c27ee50d3cca028fe9c3d60

SHA1
33925b836fb075a44883ccfaede403dee1d473da

SHA256
708966135d117386eb42b90e18f400bfabad839beeaedaaae3e91cef383c3fce

SHA512
23cef8d4507cc4d3234d6446cd7fa58e8d9020a074c03e531c382b25531e176fd86b0bd94728f819bcdf786c4354e7c61554d6541cc8fe3e2705f2bd2fc90109

Download Submit
memory/3708-132-0x0000000000000000-mapping.dmp

Download
memory/4772-133-0x0000000000000000-mapping.dmp

Download
memory/4920-134-0x0000000000000000-mapping.dmp

Download