Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2022 21:48

General

  • Target

    eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

  • Size

    60KB

  • MD5

    a3b3442a79850d25604f1bf4a2196270

  • SHA1

    f792cbb49ffc54f17cd03b6ebc53632d5c9a2687

  • SHA256

    eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

  • SHA512

    a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d

  • SSDEEP

    768:6hVv6GhvqtcX7OFWGq2bkpJq4PPRwHdyDPOn/t24dFtf3mTNbYYZTutl1:6hVPvqd6Jq4PPRwHkO/MxTNLGP

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 17 IoCs
  • Modifies file permissions 1 TTPs 17 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
    "C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "c:\windows\system32\bauff.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4864
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "c:\windows\system32\bauff.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4832
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4308
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:5084
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2392
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1892
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3260
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1776
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1556
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1456
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1984
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:432
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2188
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:3824
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1972
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Permissions Modification

1
T1222

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\windows\SysWOW64\bauff.exe
    Filesize

    60KB

    MD5

    a3b3442a79850d25604f1bf4a2196270

    SHA1

    f792cbb49ffc54f17cd03b6ebc53632d5c9a2687

    SHA256

    eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

    SHA512

    a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d

  • memory/432-147-0x0000000000000000-mapping.dmp
  • memory/1444-140-0x0000000000000000-mapping.dmp
  • memory/1456-145-0x0000000000000000-mapping.dmp
  • memory/1556-144-0x0000000000000000-mapping.dmp
  • memory/1776-143-0x0000000000000000-mapping.dmp
  • memory/1892-142-0x0000000000000000-mapping.dmp
  • memory/1972-150-0x0000000000000000-mapping.dmp
  • memory/1984-146-0x0000000000000000-mapping.dmp
  • memory/2188-148-0x0000000000000000-mapping.dmp
  • memory/2392-138-0x0000000000000000-mapping.dmp
  • memory/3260-141-0x0000000000000000-mapping.dmp
  • memory/3524-151-0x0000000000000000-mapping.dmp
  • memory/3824-149-0x0000000000000000-mapping.dmp
  • memory/4308-137-0x0000000000000000-mapping.dmp
  • memory/4832-135-0x0000000000000000-mapping.dmp
  • memory/4864-134-0x0000000000000000-mapping.dmp
  • memory/5084-139-0x0000000000000000-mapping.dmp