12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312

General

Target

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
Size

60KB
MD5

166a8cec83c5e620cfe57290754a14b6
SHA1

302ad1ed3a3518db09a36e0093b9cd188d819874
SHA256

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312
SHA512

81f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8
SSDEEP

768:DOldkeuIiCinXTV99tcJ9ZzYeDpOGTIGzQEVET1PaK3YTcjZd3:D8uXHPcJ9Zz9d/MEVUld3

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 17 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	process
3944	icacls.exe
4688	icacls.exe
2164	icacls.exe
2860	icacls.exe
1736	takeown.exe
3888	icacls.exe
2376	takeown.exe
452	icacls.exe
4388	takeown.exe
1856	icacls.exe
2556	icacls.exe
5004	icacls.exe
1148	takeown.exe
4248	icacls.exe
1476	takeown.exe
1480	icacls.exe
3112	takeown.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
452	icacls.exe
4388	takeown.exe
1856	icacls.exe
2860	icacls.exe
2556	icacls.exe
1476	takeown.exe
4688	icacls.exe
1736	takeown.exe
3888	icacls.exe
1480	icacls.exe
2376	takeown.exe
5004	icacls.exe
1148	takeown.exe
2164	icacls.exe
3112	takeown.exe
4248	icacls.exe
3944	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cscript.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
File created	\??\c:\windows\SysWOW64\hedxy.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
File opened for modification	\??\c:\windows\SysWOW64\hedxy.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2376	takeown.exe
Token: SeTakeOwnershipPrivilege	4388	takeown.exe
Token: SeTakeOwnershipPrivilege	3112	takeown.exe
Token: SeTakeOwnershipPrivilege	1736	takeown.exe
Token: SeTakeOwnershipPrivilege	1148	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

pid process

3012 12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

pid	process
3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe

description	pid	process	target process
PID 3012 wrote to memory of 1476	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1476	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1476	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 452	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 452	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 452	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2376	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 2376	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 2376	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 2164	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2164	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2164	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4688	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4688	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4688	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4388	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 4388	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 4388	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1856	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 1856	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 1856	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 3944	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 3944	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 3944	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 3112	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 3112	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 3112	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 2556	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2556	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2556	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2860	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2860	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 2860	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 1736	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1736	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1736	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 3888	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 3888	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 3888	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 5004	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 5004	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 5004	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 1148	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1148	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1148	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	takeown.exe
PID 3012 wrote to memory of 1480	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 1480	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 1480	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4248	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4248	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe
PID 3012 wrote to memory of 4248	3012	12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe
"C:\Users\Admin\AppData\Local\Temp\12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\hedxy.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1476

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\hedxy.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:452

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4688

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2164

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1856

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2860

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2556

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3888

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4248

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\hedxy.exe
Filesize
60KB

MD5
166a8cec83c5e620cfe57290754a14b6

SHA1
302ad1ed3a3518db09a36e0093b9cd188d819874

SHA256
12570017db741b3541a0be8202c0f60339d7d57212c6870224fec2bf2aaf2312

SHA512
81f8046fbfdb190ebc0fded12fb4271074c811910dc82ec94d995485e6a39f76e6230ca598c14dff07c7e27da14c594f697c6f13bac7fca1b6015691bc5f07e8

Download Submit
memory/452-135-0x0000000000000000-mapping.dmp

Download
memory/1148-149-0x0000000000000000-mapping.dmp

Download
memory/1476-134-0x0000000000000000-mapping.dmp

Download
memory/1480-150-0x0000000000000000-mapping.dmp

Download
memory/1736-146-0x0000000000000000-mapping.dmp

Download
memory/1856-141-0x0000000000000000-mapping.dmp

Download
memory/2164-138-0x0000000000000000-mapping.dmp

Download
memory/2376-137-0x0000000000000000-mapping.dmp

Download
memory/2556-144-0x0000000000000000-mapping.dmp

Download
memory/2860-145-0x0000000000000000-mapping.dmp

Download
memory/3112-143-0x0000000000000000-mapping.dmp

Download
memory/3888-147-0x0000000000000000-mapping.dmp

Download
memory/3944-142-0x0000000000000000-mapping.dmp

Download
memory/4248-151-0x0000000000000000-mapping.dmp

Download
memory/4388-140-0x0000000000000000-mapping.dmp

Download
memory/4688-139-0x0000000000000000-mapping.dmp

Download
memory/5004-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads