df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca

Analysis

max time kernel
47s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe
Size

40KB
MD5

70db830df85313404765c8f5c2504170
SHA1

2dce39fafb7499cf9b36be482e07e0c43ec1e0ba
SHA256

df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca
SHA512

25c979954d5440e38a042ca37108eb95a271d10a2a2521b8896dc552951242a07a1747de043e32d0b83ef741c383a1c070ea6f63effb6cf3424b6ba4086e2667
SSDEEP

768:/jz76laptRlWs3zHnH5MY4gxjYNu4v7ragNkzRE5hfFETec0uYNF:/jzTdlWAzHatgxjYM4v7ragNkuETec0j

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2008	takeown.exe
1868	icacls.exe
1676	takeown.exe
1636	icacls.exe
520	takeown.exe
832	icacls.exe
848	takeown.exe
1404	icacls.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1636	icacls.exe
520	takeown.exe
832	icacls.exe
848	takeown.exe
1404	icacls.exe
2008	takeown.exe
1868	icacls.exe
1676	takeown.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	520	takeown.exe
Token: SeTakeOwnershipPrivilege	848	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	27
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	27
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	27
PID 960 wrote to memory of 2008	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	27
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	29
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	29
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	29
PID 960 wrote to memory of 1868	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	29
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	30
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	30
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	30
PID 960 wrote to memory of 1676	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	30
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	32
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	32
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	32
PID 960 wrote to memory of 1636	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	32
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	34
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	34
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	34
PID 960 wrote to memory of 520	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	34
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	36
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	36
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	36
PID 960 wrote to memory of 832	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	36
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	37
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	37
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	37
PID 960 wrote to memory of 848	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	37
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	40
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	40
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	40
PID 960 wrote to memory of 1404	960	df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe	40

C:\Users\Admin\AppData\Local\Temp\df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe
"C:\Users\Admin\AppData\Local\Temp\df3e94bc12450741394dbc6eb4bdcadda010b3c595c42c39f5ff110772b003ca.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1868
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1636
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:832
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads