d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a

General

Target

d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
Size

96KB
MD5

641e9944b7ab5bdc073b0e5b6148b352
SHA1

81c69b50a126bb3de7ca4fe7a1c7a81bb792ca2b
SHA256

d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a
SHA512

1b069ae54f053cd7feb9f63c1fa9b1a307d644d74b42733632af72adae751e7a5e5aa66e43e7a0c154de1b39015020cd26dbf16d72ad582ef3ba1ef63a767c48
SSDEEP

1536:4es7yD0DAzhW0w4ZtgNxO9tMZMpbMqqJI7Jy2Z47gViGMru:4i0D+suZ3pbMqqJI7w7g+

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1452 takeown.exe
1552 icacls.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1436 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1436 cmd.exe
1436 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1452 takeown.exe
1552 icacls.exe

pid	process
1452	takeown.exe
1552	icacls.exe

pid	process
1436	cmd.exe

pid	process
1436	cmd.exe
1436	cmd.exe

pid	process
1452	takeown.exe
1552	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
File created	C:\Windows\SysWOW64\imm32.dll	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
File created	C:\Windows\SysWOW64\ole.dll	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
Token: SeTakeOwnershipPrivilege	1452	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe

pid	process
1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe

description	pid	process	target process
PID 1388 wrote to memory of 1452	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	takeown.exe
PID 1388 wrote to memory of 1452	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	takeown.exe
PID 1388 wrote to memory of 1452	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	takeown.exe
PID 1388 wrote to memory of 1452	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	takeown.exe
PID 1388 wrote to memory of 1552	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	icacls.exe
PID 1388 wrote to memory of 1552	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	icacls.exe
PID 1388 wrote to memory of 1552	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	icacls.exe
PID 1388 wrote to memory of 1552	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	icacls.exe
PID 1388 wrote to memory of 1436	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	cmd.exe
PID 1388 wrote to memory of 1436	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	cmd.exe
PID 1388 wrote to memory of 1436	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	cmd.exe
PID 1388 wrote to memory of 1436	1388	d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
"C:\Users\Admin\AppData\Local\Temp\d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\del6c1dfd.bat
2⤵
- Deletes itself
- Loads dropped DLL
PID:1436

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IMM32.DLL
Filesize
121KB

MD5
6063acba9c094d5d4e41de7e10800e65

SHA1
9320c2cea76a3c57c327d51c93f7740302c05a3f

SHA256
ce2a39caa0507d8d3e178541d7098105f25b99af952d85c2f3eec0293554c297

SHA512
387b76e0fec40a6443459a528988edd2f9e154dc57db8690b5582140c0b79cc4234c1ee1877fa5862a60bcbdeaafbfd3efb0a2a29a543f6f5fdf42884844e1b0

Download Submit
C:\Windows\SysWOW64\ole.dll
Filesize
64KB

MD5
983e5d89abe63085c3a7af72cfae6923

SHA1
efab8892f1c5745d2ec36bb89c515f1e4fa252a3

SHA256
a3f434d128cd12067e0582fe71ae4811094a7d9fd639fd261b111a4a7dc3a72c

SHA512
059fee274738ce40baedd7ee308cdb85794e442942245236a99b9ec158cfc6d41547aebd35e43f6d0941d883c5d610b65a1c9ba6efa10322e95e433c8abc08fe

Download Submit
\??\c:\del6c1dfd.bat
Filesize
270B

MD5
f70bb36d9a4af5b07041f11b9be56bff

SHA1
ff65137d2e6eef17d2e0845aedbba1f016f6ea9e

SHA256
ee1ae7ab65972efad81196c459679d2e2cdeb2c9c094606a45a817b795d61189

SHA512
49838e1dabb589cab2858baaeb2e04c4cff18e808db31e9b333568200127aa1600a5f652cc1fc6d252e29f77b8f99882bd1d9a3b9ea527fdedd98b1247b7df0b

Download Submit
\Windows\SysWOW64\imm32.dll
Filesize
121KB

MD5
6063acba9c094d5d4e41de7e10800e65

SHA1
9320c2cea76a3c57c327d51c93f7740302c05a3f

SHA256
ce2a39caa0507d8d3e178541d7098105f25b99af952d85c2f3eec0293554c297

SHA512
387b76e0fec40a6443459a528988edd2f9e154dc57db8690b5582140c0b79cc4234c1ee1877fa5862a60bcbdeaafbfd3efb0a2a29a543f6f5fdf42884844e1b0

Download Submit
\Windows\SysWOW64\ole.dll
Filesize
64KB

MD5
983e5d89abe63085c3a7af72cfae6923

SHA1
efab8892f1c5745d2ec36bb89c515f1e4fa252a3

SHA256
a3f434d128cd12067e0582fe71ae4811094a7d9fd639fd261b111a4a7dc3a72c

SHA512
059fee274738ce40baedd7ee308cdb85794e442942245236a99b9ec158cfc6d41547aebd35e43f6d0941d883c5d610b65a1c9ba6efa10322e95e433c8abc08fe

Download Submit
memory/1436-56-0x0000000000000000-mapping.dmp

Download
memory/1436-62-0x00000000751B0000-0x0000000075220000-memory.dmp

Filesize
448KB

Download
memory/1452-54-0x0000000000000000-mapping.dmp

Download
memory/1552-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads