7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3

General

Target

7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe
Size

40KB
MD5

60974f99bd6bd301e9e109acbb7523b0
SHA1

8f1b6a8686476c1fe84248043380b1238d50f522
SHA256

7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3
SHA512

7bf960f0ac1064cd50540b6c482d8d7c5952e2fef19b93c6537ae19fbdd20b8f69fb697af39904565a702e1c5f128378e2946073a80188b458ec501711a943a0
SSDEEP

768:/zCmqaAlxkOmCsDGQc5nhq3tAVZ3ZJNP:/zb9Oyk7PP

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1704 icacls.exe
1240 takeown.exe
580 takeown.exe
684 icacls.exe
1776 icacls.exe
900 takeown.exe
1780 icacls.exe
2036 takeown.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid process

684 icacls.exe
1776 icacls.exe
900 takeown.exe
1780 icacls.exe
2036 takeown.exe
1704 icacls.exe
1240 takeown.exe
580 takeown.exe

pid	process
1704	icacls.exe
1240	takeown.exe
580	takeown.exe
684	icacls.exe
1776	icacls.exe
900	takeown.exe
1780	icacls.exe
2036	takeown.exe

pid	process
684	icacls.exe
1776	icacls.exe
900	takeown.exe
1780	icacls.exe
2036	takeown.exe
1704	icacls.exe
1240	takeown.exe
580	takeown.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2036	takeown.exe
Token: SeTakeOwnershipPrivilege	900	takeown.exe
Token: SeTakeOwnershipPrivilege	1240	takeown.exe
Token: SeTakeOwnershipPrivilege	580	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe

pid process

1416 7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe

pid	process
1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe

description	pid	process	target process
PID 1416 wrote to memory of 900	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 900	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 900	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 900	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 1780	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1780	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1780	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1780	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 2036	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 2036	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 2036	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 2036	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 1704	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1704	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1704	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1704	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1240	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 1240	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 1240	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 1240	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 684	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 684	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 684	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 684	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 580	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 580	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 580	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 580	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	takeown.exe
PID 1416 wrote to memory of 1776	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1776	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1776	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe
PID 1416 wrote to memory of 1776	1416	7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe
"C:\Users\Admin\AppData\Local\Temp\7ba272e46d744b719f3493417d14eba01f7f254d003a56ecb17b565169d22cf3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1704

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:684

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1776

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-62-0x0000000000000000-mapping.dmp

Download
memory/684-61-0x0000000000000000-mapping.dmp

Download
memory/900-56-0x0000000000000000-mapping.dmp

Download
memory/1240-60-0x0000000000000000-mapping.dmp

Download
memory/1704-59-0x0000000000000000-mapping.dmp

Download
memory/1776-63-0x0000000000000000-mapping.dmp

Download
memory/1780-57-0x0000000000000000-mapping.dmp

Download
memory/2036-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing