Overview

overview

8

Static

static

c0113ec2f5...99.exe

windows7-x64

8

c0113ec2f5...99.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    154s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2022 16:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0113ec2f55feb9f2972be3ad76f75f2fc8bcdd0e4085509f9420f5dff38ba99.exe

  • Size

    60KB

  • MD5

    6d9d1b713010f998d8ad0627c7eb4680

  • SHA1

    a4cf355a7dd9f37ba98dcf18b6672d75794a2cce

  • SHA256

    c0113ec2f55feb9f2972be3ad76f75f2fc8bcdd0e4085509f9420f5dff38ba99

  • SHA512

    b58a56ea2d5addc79f237b5cc319d468f7878d8f90032400d126c517b1454abcfd54601339486e3fbff30973cca87d5dda92749257ebb596d2da38da15ee6457

  • SSDEEP

    768:HoCjNyULSOTuYRFMGXGlS/F6S8qKGZLb47J1bH86wQ6wsZn1iu37rwIgg4eAuZ3o:HoiiMpGlFqKGZLb4FxLw7CIr4eA23o

Score
8/10
discoveryexploit

Malware Config

Signatures

  • Possible privilege escalation attempt 20 IoCs
    exploit
  • Modifies file permissions 1 TTPs 20 IoCs
    discovery
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0113ec2f55feb9f2972be3ad76f75f2fc8bcdd0e4085509f9420f5dff38ba99.exe
    "C:\Users\Admin\AppData\Local\Temp\c0113ec2f55feb9f2972be3ad76f75f2fc8bcdd0e4085509f9420f5dff38ba99.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "c:\windows\system32\ezasb.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4412
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "c:\windows\system32\ezasb.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:876
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1276
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4376
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4868
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4680
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4644
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3908
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1596
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:3500
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3640
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2176
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2256
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2212
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4616
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\ezasb.exe
    Filesize

    60KB

    MD5

    6d9d1b713010f998d8ad0627c7eb4680

    SHA1

    a4cf355a7dd9f37ba98dcf18b6672d75794a2cce

    SHA256

    c0113ec2f55feb9f2972be3ad76f75f2fc8bcdd0e4085509f9420f5dff38ba99

    SHA512

    b58a56ea2d5addc79f237b5cc319d468f7878d8f90032400d126c517b1454abcfd54601339486e3fbff30973cca87d5dda92749257ebb596d2da38da15ee6457

    Download Submit
  • memory/876-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1012-149-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-139-0x0000000000000000-mapping.dmp
    Download
  • memory/1344-143-0x0000000000000000-mapping.dmp
    Download
  • memory/1596-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2176-148-0x0000000000000000-mapping.dmp
    Download
  • memory/2212-150-0x0000000000000000-mapping.dmp
    Download
  • memory/2256-151-0x0000000000000000-mapping.dmp
    Download
  • memory/2620-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3500-146-0x0000000000000000-mapping.dmp
    Download
  • memory/3640-147-0x0000000000000000-mapping.dmp
    Download
  • memory/3712-154-0x0000000000000000-mapping.dmp
    Download
  • memory/3876-152-0x0000000000000000-mapping.dmp
    Download
  • memory/3908-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4376-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4412-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4616-153-0x0000000000000000-mapping.dmp
    Download
  • memory/4644-142-0x0000000000000000-mapping.dmp
    Download
  • memory/4680-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4868-140-0x0000000000000000-mapping.dmp
    Download