Analysis
-
max time kernel
43s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 21:48
Static task
static1
Behavioral task
behavioral1
Sample
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
Resource
win7-20220901-en
General
-
Target
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
-
Size
60KB
-
MD5
a3b3442a79850d25604f1bf4a2196270
-
SHA1
f792cbb49ffc54f17cd03b6ebc53632d5c9a2687
-
SHA256
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358
-
SHA512
a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d
-
SSDEEP
768:6hVv6GhvqtcX7OFWGq2bkpJq4PPRwHdyDPOn/t24dFtf3mTNbYYZTutl1:6hVPvqd6Jq4PPRwHkO/MxTNLGP
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1576 takeown.exe 1584 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1576 takeown.exe 1584 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exedescription ioc process File created \??\c:\windows\SysWOW64\bauff.exe eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe File opened for modification \??\c:\windows\SysWOW64\bauff.exe eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exepid process 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exedescription pid process target process PID 1672 wrote to memory of 1576 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe takeown.exe PID 1672 wrote to memory of 1576 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe takeown.exe PID 1672 wrote to memory of 1576 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe takeown.exe PID 1672 wrote to memory of 1576 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe takeown.exe PID 1672 wrote to memory of 1584 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe icacls.exe PID 1672 wrote to memory of 1584 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe icacls.exe PID 1672 wrote to memory of 1584 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe icacls.exe PID 1672 wrote to memory of 1584 1672 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe"C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\bauff.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\bauff.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\bauff.exeFilesize
60KB
MD5a3b3442a79850d25604f1bf4a2196270
SHA1f792cbb49ffc54f17cd03b6ebc53632d5c9a2687
SHA256eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358
SHA512a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d
-
memory/1576-56-0x0000000000000000-mapping.dmp
-
memory/1584-57-0x0000000000000000-mapping.dmp