Analysis
-
max time kernel
36s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
Resource
win7-20220812-en
General
-
Target
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
-
Size
60KB
-
MD5
166a8cec83c5e620cfe57290754a14b6
-
SHA1
302ad1ed3a3518db09a36e0093b9cd188d819874
-
SHA256
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312
-
SHA512
81f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8
-
SSDEEP
768:DOldkeuIiCinXTV99tcJ9ZzYeDpOGTIGzQEVET1PaK3YTcjZd3:D8uXHPcJ9Zz9d/MEVUld3
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1556 takeown.exe 1272 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1556 takeown.exe 1272 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exedescription ioc process File created \??\c:\windows\SysWOW64\hedxy.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe File opened for modification \??\c:\windows\SysWOW64\hedxy.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exepid process 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exedescription pid process target process PID 1348 wrote to memory of 1556 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 1348 wrote to memory of 1556 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 1348 wrote to memory of 1556 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 1348 wrote to memory of 1556 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 1348 wrote to memory of 1272 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 1348 wrote to memory of 1272 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 1348 wrote to memory of 1272 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 1348 wrote to memory of 1272 1348 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe"C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\hedxy.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\hedxy.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\hedxy.exeFilesize
60KB
MD5166a8cec83c5e620cfe57290754a14b6
SHA1302ad1ed3a3518db09a36e0093b9cd188d819874
SHA25612570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312
SHA51281f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8
-
memory/1272-57-0x0000000000000000-mapping.dmp
-
memory/1556-56-0x0000000000000000-mapping.dmp