Analysis
-
max time kernel
43s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18-09-2022 22:44
Static task
static1
Behavioral task
behavioral1
Sample
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
Resource
win7-20220812-en
General
-
Target
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe
-
Size
96KB
-
MD5
641e9944b7ab5bdc073b0e5b6148b352
-
SHA1
81c69b50a126bb3de7ca4fe7a1c7a81bb792ca2b
-
SHA256
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a
-
SHA512
1b069ae54f053cd7feb9f63c1fa9b1a307d644d74b42733632af72adae751e7a5e5aa66e43e7a0c154de1b39015020cd26dbf16d72ad582ef3ba1ef63a767c48
-
SSDEEP
1536:4es7yD0DAzhW0w4ZtgNxO9tMZMpbMqqJI7Jy2Z47gViGMru:4i0D+suZ3pbMqqJI7w7g+
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1452 takeown.exe 1552 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1436 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1436 cmd.exe 1436 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1452 takeown.exe 1552 icacls.exe -
Drops file in System32 directory 4 IoCs
Processes:
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exedescription ioc process File opened for modification C:\Windows\SysWOW64\imm32.dll.log d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe File created C:\Windows\SysWOW64\imm32.dll d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe File created C:\Windows\SysWOW64\ole.dll d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe File created C:\Windows\SysWOW64\imm32.dll.log d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exetakeown.exedescription pid process Token: SeDebugPrivilege 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe Token: SeTakeOwnershipPrivilege 1452 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exepid process 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exedescription pid process target process PID 1388 wrote to memory of 1452 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe takeown.exe PID 1388 wrote to memory of 1452 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe takeown.exe PID 1388 wrote to memory of 1452 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe takeown.exe PID 1388 wrote to memory of 1452 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe takeown.exe PID 1388 wrote to memory of 1552 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe icacls.exe PID 1388 wrote to memory of 1552 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe icacls.exe PID 1388 wrote to memory of 1552 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe icacls.exe PID 1388 wrote to memory of 1552 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe icacls.exe PID 1388 wrote to memory of 1436 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe cmd.exe PID 1388 wrote to memory of 1436 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe cmd.exe PID 1388 wrote to memory of 1436 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe cmd.exe PID 1388 wrote to memory of 1436 1388 d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe"C:\Users\Admin\AppData\Local\Temp\d45b54dce496faffffe40165387793a32eb22e4db98392907c9f0104eb1b711a.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\imm32.dll2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\system32\imm32.dll /grant administrators:f2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\del6c1dfd.bat2⤵
- Deletes itself
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\IMM32.DLLFilesize
121KB
MD56063acba9c094d5d4e41de7e10800e65
SHA19320c2cea76a3c57c327d51c93f7740302c05a3f
SHA256ce2a39caa0507d8d3e178541d7098105f25b99af952d85c2f3eec0293554c297
SHA512387b76e0fec40a6443459a528988edd2f9e154dc57db8690b5582140c0b79cc4234c1ee1877fa5862a60bcbdeaafbfd3efb0a2a29a543f6f5fdf42884844e1b0
-
C:\Windows\SysWOW64\ole.dllFilesize
64KB
MD5983e5d89abe63085c3a7af72cfae6923
SHA1efab8892f1c5745d2ec36bb89c515f1e4fa252a3
SHA256a3f434d128cd12067e0582fe71ae4811094a7d9fd639fd261b111a4a7dc3a72c
SHA512059fee274738ce40baedd7ee308cdb85794e442942245236a99b9ec158cfc6d41547aebd35e43f6d0941d883c5d610b65a1c9ba6efa10322e95e433c8abc08fe
-
\??\c:\del6c1dfd.batFilesize
270B
MD5f70bb36d9a4af5b07041f11b9be56bff
SHA1ff65137d2e6eef17d2e0845aedbba1f016f6ea9e
SHA256ee1ae7ab65972efad81196c459679d2e2cdeb2c9c094606a45a817b795d61189
SHA51249838e1dabb589cab2858baaeb2e04c4cff18e808db31e9b333568200127aa1600a5f652cc1fc6d252e29f77b8f99882bd1d9a3b9ea527fdedd98b1247b7df0b
-
\Windows\SysWOW64\imm32.dllFilesize
121KB
MD56063acba9c094d5d4e41de7e10800e65
SHA19320c2cea76a3c57c327d51c93f7740302c05a3f
SHA256ce2a39caa0507d8d3e178541d7098105f25b99af952d85c2f3eec0293554c297
SHA512387b76e0fec40a6443459a528988edd2f9e154dc57db8690b5582140c0b79cc4234c1ee1877fa5862a60bcbdeaafbfd3efb0a2a29a543f6f5fdf42884844e1b0
-
\Windows\SysWOW64\ole.dllFilesize
64KB
MD5983e5d89abe63085c3a7af72cfae6923
SHA1efab8892f1c5745d2ec36bb89c515f1e4fa252a3
SHA256a3f434d128cd12067e0582fe71ae4811094a7d9fd639fd261b111a4a7dc3a72c
SHA512059fee274738ce40baedd7ee308cdb85794e442942245236a99b9ec158cfc6d41547aebd35e43f6d0941d883c5d610b65a1c9ba6efa10322e95e433c8abc08fe
-
memory/1436-56-0x0000000000000000-mapping.dmp
-
memory/1436-62-0x00000000751B0000-0x0000000075220000-memory.dmpFilesize
448KB
-
memory/1452-54-0x0000000000000000-mapping.dmp
-
memory/1552-55-0x0000000000000000-mapping.dmp