eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
Size

60KB
MD5

a3b3442a79850d25604f1bf4a2196270
SHA1

f792cbb49ffc54f17cd03b6ebc53632d5c9a2687
SHA256

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358
SHA512

a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d
SSDEEP

768:6hVv6GhvqtcX7OFWGq2bkpJq4PPRwHdyDPOn/t24dFtf3mTNbYYZTutl1:6hVPvqd6Jq4PPRwHkO/MxTNLGP

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1576 takeown.exe
1584 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1576 takeown.exe
1584 icacls.exe

pid	process
1576	takeown.exe
1584	icacls.exe

pid	process
1576	takeown.exe
1584	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\bauff.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
File opened for modification	\??\c:\windows\SysWOW64\bauff.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

pid process

1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

pid	process
1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

description	pid	process	target process
PID 1672 wrote to memory of 1576	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 1672 wrote to memory of 1576	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 1672 wrote to memory of 1576	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 1672 wrote to memory of 1576	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 1672 wrote to memory of 1584	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 1672 wrote to memory of 1584	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 1672 wrote to memory of 1584	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 1672 wrote to memory of 1584	1672	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
"C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\bauff.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1576

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\bauff.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\bauff.exe
Filesize
60KB

MD5
a3b3442a79850d25604f1bf4a2196270

SHA1
f792cbb49ffc54f17cd03b6ebc53632d5c9a2687

SHA256
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

SHA512
a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d

Download Submit
memory/1576-56-0x0000000000000000-mapping.dmp

Download
memory/1584-57-0x0000000000000000-mapping.dmp

Download