df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca

General

Target

df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe
Size

40KB
MD5

70db830df85313404765c8f5c2504170
SHA1

2dce39fafb7499cf9b36be482e07e0c43ec1e0ba
SHA256

df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca
SHA512

25c979954d5440e38a042ca37108eb95a271d10a2a2521b8896dc552951242a07a1747de043e32d0b83ef741c383a1c070ea6f63effb6cf3424b6ba4086e2667
SSDEEP

768:/jz76laptRlWs3zHnH5MY4gxjYNu4v7ragNkzRE5hfFETec0uYNF:/jzTdlWAzHatgxjYM4v7ragNkuETec0j

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2008 takeown.exe
1868 icacls.exe
1676 takeown.exe
1636 icacls.exe
520 takeown.exe
832 icacls.exe
848 takeown.exe
1404 icacls.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1636 icacls.exe
520 takeown.exe
832 icacls.exe
848 takeown.exe
1404 icacls.exe
2008 takeown.exe
1868 icacls.exe
1676 takeown.exe

pid	process
2008	takeown.exe
1868	icacls.exe
1676	takeown.exe
1636	icacls.exe
520	takeown.exe
832	icacls.exe
848	takeown.exe
1404	icacls.exe

pid	process
1636	icacls.exe
520	takeown.exe
832	icacls.exe
848	takeown.exe
1404	icacls.exe
2008	takeown.exe
1868	icacls.exe
1676	takeown.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	520	takeown.exe
Token: SeTakeOwnershipPrivilege	848	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe

pid process

960 df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe

pid	process
960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe

description	pid	process	target process
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	takeown.exe
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe
"C:\Users\Admin\AppData\Local\Temp\df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1868

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1636

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:832

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1404

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/832-61-0x0000000000000000-mapping.dmp

Download
memory/848-62-0x0000000000000000-mapping.dmp

Download
memory/1404-63-0x0000000000000000-mapping.dmp

Download
memory/1636-59-0x0000000000000000-mapping.dmp

Download
memory/1676-58-0x0000000000000000-mapping.dmp

Download
memory/1868-57-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing