Analysis
-
max time kernel
34s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 17:47
Static task
static1
Behavioral task
behavioral1
Sample
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe
Resource
win10v2004-20220812-en
General
-
Target
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe
-
Size
48KB
-
MD5
10ee7cce9524e4d2720a32f8fea16010
-
SHA1
d7e89b4db2324da4dec5d020946c2eb92484f4ba
-
SHA256
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8
-
SHA512
4bf913bc1910dcceadb5471b63972303fe1d580bc2eb077ca221f31ddcf7fb6a448552021fe0142be7e3aa5ad631237a23a7bdc134980e275062a463e43fd268
-
SSDEEP
768:sy8oLLO1jQ4e0gIXVSJQ+Ma6wJsdt4ftfAtmGVC0LxZ76CTXh6:HFyH5+4w+tYA8GVFm6h6
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1996 takeown.exe 1928 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1996 takeown.exe 1928 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pexr = "c:\\windows\\system32\\jpyy.exe" fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe -
Drops file in System32 directory 2 IoCs
Processes:
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exedescription ioc process File created \??\c:\windows\SysWOW64\jpyy.exe fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe File opened for modification \??\c:\windows\SysWOW64\jpyy.exe fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exepid process 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exedescription pid process target process PID 1872 wrote to memory of 1996 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe takeown.exe PID 1872 wrote to memory of 1996 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe takeown.exe PID 1872 wrote to memory of 1996 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe takeown.exe PID 1872 wrote to memory of 1996 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe takeown.exe PID 1872 wrote to memory of 1928 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe icacls.exe PID 1872 wrote to memory of 1928 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe icacls.exe PID 1872 wrote to memory of 1928 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe icacls.exe PID 1872 wrote to memory of 1928 1872 fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe"C:\Users\Admin\AppData\Local\Temp\fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\jpyy.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\jpyy.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\jpyy.exeFilesize
48KB
MD510ee7cce9524e4d2720a32f8fea16010
SHA1d7e89b4db2324da4dec5d020946c2eb92484f4ba
SHA256fc648ef36d04ec585120f3a6415edb7fab6a4a79d4865ee83088eaa172c0e0a8
SHA5124bf913bc1910dcceadb5471b63972303fe1d580bc2eb077ca221f31ddcf7fb6a448552021fe0142be7e3aa5ad631237a23a7bdc134980e275062a463e43fd268
-
memory/1928-57-0x0000000000000000-mapping.dmp
-
memory/1996-56-0x0000000000000000-mapping.dmp