12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
Size

60KB
MD5

166a8cec83c5e620cfe57290754a14b6
SHA1

302ad1ed3a3518db09a36e0093b9cd188d819874
SHA256

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312
SHA512

81f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8
SSDEEP

768:DOldkeuIiCinXTV99tcJ9ZzYeDpOGTIGzQEVET1PaK3YTcjZd3:D8uXHPcJ9Zz9d/MEVUld3

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1556 takeown.exe
1272 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1556 takeown.exe
1272 icacls.exe

pid	process
1556	takeown.exe
1272	icacls.exe

pid	process
1556	takeown.exe
1272	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\hedxy.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
File opened for modification	\??\c:\windows\SysWOW64\hedxy.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

pid process

1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

pid	process
1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

description	pid	process	target process
PID 1348 wrote to memory of 1556	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 1348 wrote to memory of 1556	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 1348 wrote to memory of 1556	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 1348 wrote to memory of 1556	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 1348 wrote to memory of 1272	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 1348 wrote to memory of 1272	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 1348 wrote to memory of 1272	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 1348 wrote to memory of 1272	1348	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
"C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\hedxy.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\hedxy.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\hedxy.exe
Filesize
60KB

MD5
166a8cec83c5e620cfe57290754a14b6

SHA1
302ad1ed3a3518db09a36e0093b9cd188d819874

SHA256
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312

SHA512
81f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8

Download Submit
memory/1272-57-0x0000000000000000-mapping.dmp

Download
memory/1556-56-0x0000000000000000-mapping.dmp

Download