Analysis
-
max time kernel
108s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 19:07
Static task
static1
Behavioral task
behavioral1
Sample
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
Resource
win7-20220812-en
General
-
Target
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
-
Size
60KB
-
MD5
166a8cec83c5e620cfe57290754a14b6
-
SHA1
302ad1ed3a3518db09a36e0093b9cd188d819874
-
SHA256
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312
-
SHA512
81f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8
-
SSDEEP
768:DOldkeuIiCinXTV99tcJ9ZzYeDpOGTIGzQEVET1PaK3YTcjZd3:D8uXHPcJ9Zz9d/MEVUld3
Malware Config
Signatures
-
Possible privilege escalation attempt 17 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 3944 icacls.exe 4688 icacls.exe 2164 icacls.exe 2860 icacls.exe 1736 takeown.exe 3888 icacls.exe 2376 takeown.exe 452 icacls.exe 4388 takeown.exe 1856 icacls.exe 2556 icacls.exe 5004 icacls.exe 1148 takeown.exe 4248 icacls.exe 1476 takeown.exe 1480 icacls.exe 3112 takeown.exe -
Modifies file permissions 1 TTPs 17 IoCs
Processes:
icacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 452 icacls.exe 4388 takeown.exe 1856 icacls.exe 2860 icacls.exe 2556 icacls.exe 1476 takeown.exe 4688 icacls.exe 1736 takeown.exe 3888 icacls.exe 1480 icacls.exe 2376 takeown.exe 5004 icacls.exe 1148 takeown.exe 2164 icacls.exe 3112 takeown.exe 4248 icacls.exe 3944 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exedescription ioc process File opened for modification C:\Windows\SysWOW64\cscript.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe File created \??\c:\windows\SysWOW64\hedxy.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe File opened for modification \??\c:\windows\SysWOW64\hedxy.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe File opened for modification C:\Windows\SysWOW64\cmd.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe File opened for modification C:\Windows\SysWOW64\ftp.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2376 takeown.exe Token: SeTakeOwnershipPrivilege 4388 takeown.exe Token: SeTakeOwnershipPrivilege 3112 takeown.exe Token: SeTakeOwnershipPrivilege 1736 takeown.exe Token: SeTakeOwnershipPrivilege 1148 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exepid process 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exedescription pid process target process PID 3012 wrote to memory of 1476 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1476 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1476 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 452 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 452 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 452 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2376 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 2376 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 2376 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 2164 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2164 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2164 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4688 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4688 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4688 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4388 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 4388 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 4388 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1856 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 1856 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 1856 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 3944 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 3944 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 3944 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 3112 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 3112 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 3112 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 2556 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2556 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2556 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2860 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2860 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 2860 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 1736 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1736 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1736 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 3888 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 3888 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 3888 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 5004 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 5004 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 5004 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 1148 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1148 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1148 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe takeown.exe PID 3012 wrote to memory of 1480 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 1480 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 1480 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4248 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4248 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe PID 3012 wrote to memory of 4248 3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe"C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\hedxy.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\hedxy.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\hedxy.exeFilesize
60KB
MD5166a8cec83c5e620cfe57290754a14b6
SHA1302ad1ed3a3518db09a36e0093b9cd188d819874
SHA25612570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312
SHA51281f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8
-
memory/452-135-0x0000000000000000-mapping.dmp
-
memory/1148-149-0x0000000000000000-mapping.dmp
-
memory/1476-134-0x0000000000000000-mapping.dmp
-
memory/1480-150-0x0000000000000000-mapping.dmp
-
memory/1736-146-0x0000000000000000-mapping.dmp
-
memory/1856-141-0x0000000000000000-mapping.dmp
-
memory/2164-138-0x0000000000000000-mapping.dmp
-
memory/2376-137-0x0000000000000000-mapping.dmp
-
memory/2556-144-0x0000000000000000-mapping.dmp
-
memory/2860-145-0x0000000000000000-mapping.dmp
-
memory/3112-143-0x0000000000000000-mapping.dmp
-
memory/3888-147-0x0000000000000000-mapping.dmp
-
memory/3944-142-0x0000000000000000-mapping.dmp
-
memory/4248-151-0x0000000000000000-mapping.dmp
-
memory/4388-140-0x0000000000000000-mapping.dmp
-
memory/4688-139-0x0000000000000000-mapping.dmp
-
memory/5004-148-0x0000000000000000-mapping.dmp