Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 05:59
Static task
static1
Behavioral task
behavioral1
Sample
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
Resource
win7-20220812-en
General
-
Target
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe
-
Size
72KB
-
MD5
52546e1127487e7974fd844aa5bd03f6
-
SHA1
b042d031ca45dc4ec791127a0ffd9d1e8df7e709
-
SHA256
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48
-
SHA512
448512f62770ae677e0bb8c1d78299648d76a069417f806d5e27531cdd1b8391b2d3152f0b886f590fc2edaf465eec1ea3b66c260302e9dc279cde8fab6e337a
-
SSDEEP
768:lZ3ekAd0mgBUJ0JtXxvoCjtpIh0xoXj8KIQBHkfOJRdLd5nOggSjyiPFu0/vHNML:lidhehRjwXjMW0aI3mxnkXtPe+qYQO
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 904 takeown.exe 1916 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 904 takeown.exe 1916 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exedescription ioc process File created C:\Windows\SysWOW64\crod.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe File opened for modification C:\Windows\SysWOW64\crod.exe 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exepid process 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exedescription pid process target process PID 736 wrote to memory of 904 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 736 wrote to memory of 904 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 736 wrote to memory of 904 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 736 wrote to memory of 904 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe takeown.exe PID 736 wrote to memory of 1916 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 736 wrote to memory of 1916 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 736 wrote to memory of 1916 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe PID 736 wrote to memory of 1916 736 02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe"C:\Users\Admin\AppData\Local\Temp\02fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\crod.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\crod.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\crod.exeFilesize
72KB
MD552546e1127487e7974fd844aa5bd03f6
SHA1b042d031ca45dc4ec791127a0ffd9d1e8df7e709
SHA25602fb5a71cc95ac3936883fd4578d83ecf8c56d5c735b9039e76a89937710ea48
SHA512448512f62770ae677e0bb8c1d78299648d76a069417f806d5e27531cdd1b8391b2d3152f0b886f590fc2edaf465eec1ea3b66c260302e9dc279cde8fab6e337a
-
memory/736-56-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/904-57-0x0000000000000000-mapping.dmp
-
memory/1916-59-0x0000000000000000-mapping.dmp