Analysis

  • max time kernel
    43s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2022 21:48

General

  • Target

    eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

  • Size

    60KB

  • MD5

    a3b3442a79850d25604f1bf4a2196270

  • SHA1

    f792cbb49ffc54f17cd03b6ebc53632d5c9a2687

  • SHA256

    eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

  • SHA512

    a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d

  • SSDEEP

    768:6hVv6GhvqtcX7OFWGq2bkpJq4PPRwHdyDPOn/t24dFtf3mTNbYYZTutl1:6hVPvqd6Jq4PPRwHkO/MxTNLGP

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
    "C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "c:\windows\system32\bauff.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1576
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "c:\windows\system32\bauff.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Permissions Modification

1
T1222

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\bauff.exe
    Filesize

    60KB

    MD5

    a3b3442a79850d25604f1bf4a2196270

    SHA1

    f792cbb49ffc54f17cd03b6ebc53632d5c9a2687

    SHA256

    eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

    SHA512

    a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d

  • memory/1576-56-0x0000000000000000-mapping.dmp
  • memory/1584-57-0x0000000000000000-mapping.dmp