Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 23:54
Behavioral task
behavioral1
Sample
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe
Resource
win10v2004-20220812-en
General
-
Target
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe
-
Size
533KB
-
MD5
7bf61ffb8689283b47945e1b97d79e7c
-
SHA1
77a92cd4b4fb008dcc4c047e0e4187510db71063
-
SHA256
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975
-
SHA512
562764d8c5f40019cc6cb59ace05df1fc17d48dc8579e6c54f368e86ca56b2675328963f2c81676982f73f51ce373e09150a91b9123e656e04902844c9888c6b
-
SSDEEP
12288:FljpVO8YksvQJ2T5u6li5qBEbKWwQIIazn5g/bkkb5gw9KizUc:lkksvQ8T06AUBWZwQb4O/bgizUc
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\iki6B51.tmp acprotect C:\Users\Admin\AppData\Local\Temp\iki6B51.tmp acprotect -
Drops file in Drivers directory 4 IoCs
Processes:
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exedescription ioc process File opened for modification C:\Windows\system32\drivers\tcpip.copy 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\system32\drivers\tcpipreset 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\system32\drivers\tcpip.copy 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\system32\drivers\tcpipreset 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe -
Possible privilege escalation attempt 24 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 740 icacls.exe 4440 takeown.exe 2960 icacls.exe 240 icacls.exe 3668 icacls.exe 4092 icacls.exe 3292 takeown.exe 3812 takeown.exe 4168 icacls.exe 1036 icacls.exe 2136 icacls.exe 228 takeown.exe 2876 takeown.exe 2008 takeown.exe 3388 icacls.exe 2356 icacls.exe 4364 icacls.exe 4908 icacls.exe 4640 icacls.exe 4012 icacls.exe 3560 takeown.exe 1504 icacls.exe 3680 takeown.exe 3716 icacls.exe -
Processes:
resource yara_rule behavioral2/memory/1888-134-0x0000000000400000-0x0000000000526000-memory.dmp upx behavioral2/memory/1888-168-0x0000000000400000-0x0000000000526000-memory.dmp upx behavioral2/memory/1888-170-0x0000000000400000-0x0000000000526000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe -
Loads dropped DLL 2 IoCs
Processes:
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exepid process 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe -
Modifies file permissions 1 TTPs 24 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 3560 takeown.exe 3388 icacls.exe 3716 icacls.exe 4908 icacls.exe 2136 icacls.exe 4440 takeown.exe 4012 icacls.exe 240 icacls.exe 3668 icacls.exe 1036 icacls.exe 3292 takeown.exe 3812 takeown.exe 228 takeown.exe 4364 icacls.exe 740 icacls.exe 4640 icacls.exe 1504 icacls.exe 3680 takeown.exe 4092 icacls.exe 2356 icacls.exe 4168 icacls.exe 2960 icacls.exe 2876 takeown.exe 2008 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in System32 directory 24 IoCs
Processes:
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exedescription ioc process File opened for modification C:\Windows\System32\de-de\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\es-es\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\fr-fr\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\fr-fr\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\it-it\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\ja-jp\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\ja-jp\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\fr-fr\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\it-it\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\it-it\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\ja-jp\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\de-de\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\en-us\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\en-us\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\en-us\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\es-es\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\it-it\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\de-de\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\de-de\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\en-us\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\es-es\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\es-es\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File created C:\Windows\System32\fr-fr\user32copy.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe File opened for modification C:\Windows\System32\ja-jp\user32new.dll.mui 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\22a23325-f28f-4811-971e-7b2c5dcd890b.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221011015920.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 5000 msedge.exe 5000 msedge.exe 1472 msedge.exe 1472 msedge.exe 4088 identity_helper.exe 4088 identity_helper.exe 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe 1156 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3292 takeown.exe Token: SeTakeOwnershipPrivilege 3812 takeown.exe Token: SeTakeOwnershipPrivilege 4440 takeown.exe Token: SeTakeOwnershipPrivilege 228 takeown.exe Token: SeTakeOwnershipPrivilege 3560 takeown.exe Token: SeTakeOwnershipPrivilege 2876 takeown.exe Token: SeTakeOwnershipPrivilege 3680 takeown.exe Token: SeTakeOwnershipPrivilege 2008 takeown.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 1472 msedge.exe 1472 msedge.exe 1472 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exepid process 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1888 wrote to memory of 8 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 8 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 4748 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 4748 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 8 wrote to memory of 3292 8 cmd.exe takeown.exe PID 8 wrote to memory of 3292 8 cmd.exe takeown.exe PID 1888 wrote to memory of 4856 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 4856 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 8 wrote to memory of 2136 8 cmd.exe icacls.exe PID 8 wrote to memory of 2136 8 cmd.exe icacls.exe PID 4748 wrote to memory of 3812 4748 cmd.exe takeown.exe PID 4748 wrote to memory of 3812 4748 cmd.exe takeown.exe PID 1888 wrote to memory of 5052 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 5052 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 4748 wrote to memory of 740 4748 cmd.exe icacls.exe PID 4748 wrote to memory of 740 4748 cmd.exe icacls.exe PID 1888 wrote to memory of 4840 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 4840 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 4856 wrote to memory of 4440 4856 cmd.exe takeown.exe PID 4856 wrote to memory of 4440 4856 cmd.exe takeown.exe PID 1888 wrote to memory of 2312 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 2312 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 4748 wrote to memory of 4640 4748 cmd.exe icacls.exe PID 4748 wrote to memory of 4640 4748 cmd.exe icacls.exe PID 1888 wrote to memory of 5008 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 5008 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 4832 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 1888 wrote to memory of 4832 1888 008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe cmd.exe PID 8 wrote to memory of 2960 8 cmd.exe icacls.exe PID 8 wrote to memory of 2960 8 cmd.exe icacls.exe PID 5052 wrote to memory of 228 5052 cmd.exe takeown.exe PID 5052 wrote to memory of 228 5052 cmd.exe takeown.exe PID 4856 wrote to memory of 240 4856 cmd.exe icacls.exe PID 4856 wrote to memory of 240 4856 cmd.exe icacls.exe PID 4856 wrote to memory of 4012 4856 cmd.exe icacls.exe PID 4856 wrote to memory of 4012 4856 cmd.exe icacls.exe PID 4840 wrote to memory of 3560 4840 cmd.exe takeown.exe PID 4840 wrote to memory of 3560 4840 cmd.exe takeown.exe PID 5052 wrote to memory of 1504 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 1504 5052 cmd.exe icacls.exe PID 4832 wrote to memory of 2876 4832 cmd.exe takeown.exe PID 4832 wrote to memory of 2876 4832 cmd.exe takeown.exe PID 5008 wrote to memory of 2008 5008 cmd.exe takeown.exe PID 5008 wrote to memory of 2008 5008 cmd.exe takeown.exe PID 2312 wrote to memory of 3680 2312 cmd.exe takeown.exe PID 2312 wrote to memory of 3680 2312 cmd.exe takeown.exe PID 5052 wrote to memory of 3388 5052 cmd.exe icacls.exe PID 5052 wrote to memory of 3388 5052 cmd.exe icacls.exe PID 4840 wrote to memory of 3716 4840 cmd.exe icacls.exe PID 4840 wrote to memory of 3716 4840 cmd.exe icacls.exe PID 4832 wrote to memory of 3668 4832 cmd.exe icacls.exe PID 4832 wrote to memory of 3668 4832 cmd.exe icacls.exe PID 2312 wrote to memory of 4092 2312 cmd.exe icacls.exe PID 2312 wrote to memory of 4092 2312 cmd.exe icacls.exe PID 5008 wrote to memory of 4908 5008 cmd.exe icacls.exe PID 5008 wrote to memory of 4908 5008 cmd.exe icacls.exe PID 5008 wrote to memory of 4364 5008 cmd.exe icacls.exe PID 5008 wrote to memory of 4364 5008 cmd.exe icacls.exe PID 4840 wrote to memory of 2356 4840 cmd.exe icacls.exe PID 4840 wrote to memory of 2356 4840 cmd.exe icacls.exe PID 2312 wrote to memory of 4168 2312 cmd.exe icacls.exe PID 2312 wrote to memory of 4168 2312 cmd.exe icacls.exe PID 4832 wrote to memory of 1036 4832 cmd.exe icacls.exe PID 4832 wrote to memory of 1036 4832 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe"C:\Users\Admin\AppData\Local\Temp\008f6475441482398709a7b90e2858dff313aff6cf2bf2dd8029abb660904975.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://half-open.com/2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffadafb46f8,0x7ffadafb4708,0x7ffadafb47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1f0,0x22c,0x7ff68c225460,0x7ff68c225470,0x7ff68c2254804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6272 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6536 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2508 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,8936670600902571298,15733045109457885570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iki6B51.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\iki6B51.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
\??\pipe\LOCAL\crashpad_1472_UXGJGUYQEUUEECSLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-136-0x0000000000000000-mapping.dmp
-
memory/228-151-0x0000000000000000-mapping.dmp
-
memory/240-152-0x0000000000000000-mapping.dmp
-
memory/384-197-0x0000000000000000-mapping.dmp
-
memory/740-143-0x0000000000000000-mapping.dmp
-
memory/1036-167-0x0000000000000000-mapping.dmp
-
memory/1156-206-0x0000000000000000-mapping.dmp
-
memory/1220-174-0x0000000000000000-mapping.dmp
-
memory/1240-196-0x0000000000000000-mapping.dmp
-
memory/1288-201-0x0000000000000000-mapping.dmp
-
memory/1472-169-0x0000000000000000-mapping.dmp
-
memory/1504-155-0x0000000000000000-mapping.dmp
-
memory/1532-194-0x0000000000000000-mapping.dmp
-
memory/1888-168-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/1888-171-0x00000000022A0000-0x0000000002313000-memory.dmpFilesize
460KB
-
memory/1888-170-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/1888-135-0x00000000022A0000-0x0000000002313000-memory.dmpFilesize
460KB
-
memory/1888-134-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/2008-157-0x0000000000000000-mapping.dmp
-
memory/2136-140-0x0000000000000000-mapping.dmp
-
memory/2312-146-0x0000000000000000-mapping.dmp
-
memory/2312-188-0x0000000000000000-mapping.dmp
-
memory/2356-165-0x0000000000000000-mapping.dmp
-
memory/2468-203-0x0000000000000000-mapping.dmp
-
memory/2876-156-0x0000000000000000-mapping.dmp
-
memory/2960-150-0x0000000000000000-mapping.dmp
-
memory/3052-190-0x0000000000000000-mapping.dmp
-
memory/3052-205-0x0000000000000000-mapping.dmp
-
memory/3064-172-0x0000000000000000-mapping.dmp
-
memory/3292-138-0x0000000000000000-mapping.dmp
-
memory/3388-159-0x0000000000000000-mapping.dmp
-
memory/3500-182-0x0000000000000000-mapping.dmp
-
memory/3560-154-0x0000000000000000-mapping.dmp
-
memory/3592-198-0x0000000000000000-mapping.dmp
-
memory/3668-161-0x0000000000000000-mapping.dmp
-
memory/3668-184-0x0000000000000000-mapping.dmp
-
memory/3680-158-0x0000000000000000-mapping.dmp
-
memory/3716-160-0x0000000000000000-mapping.dmp
-
memory/3812-141-0x0000000000000000-mapping.dmp
-
memory/4004-178-0x0000000000000000-mapping.dmp
-
memory/4012-153-0x0000000000000000-mapping.dmp
-
memory/4088-199-0x0000000000000000-mapping.dmp
-
memory/4092-162-0x0000000000000000-mapping.dmp
-
memory/4168-166-0x0000000000000000-mapping.dmp
-
memory/4280-208-0x0000000000000000-mapping.dmp
-
memory/4364-164-0x0000000000000000-mapping.dmp
-
memory/4440-145-0x0000000000000000-mapping.dmp
-
memory/4640-147-0x0000000000000000-mapping.dmp
-
memory/4748-137-0x0000000000000000-mapping.dmp
-
memory/4804-180-0x0000000000000000-mapping.dmp
-
memory/4832-149-0x0000000000000000-mapping.dmp
-
memory/4840-144-0x0000000000000000-mapping.dmp
-
memory/4856-139-0x0000000000000000-mapping.dmp
-
memory/4908-163-0x0000000000000000-mapping.dmp
-
memory/5000-175-0x0000000000000000-mapping.dmp
-
memory/5008-148-0x0000000000000000-mapping.dmp
-
memory/5012-192-0x0000000000000000-mapping.dmp
-
memory/5052-142-0x0000000000000000-mapping.dmp
-
memory/5068-186-0x0000000000000000-mapping.dmp