eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

General

Target

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
Size

60KB
MD5

a3b3442a79850d25604f1bf4a2196270
SHA1

f792cbb49ffc54f17cd03b6ebc53632d5c9a2687
SHA256

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358
SHA512

a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d
SSDEEP

768:6hVv6GhvqtcX7OFWGq2bkpJq4PPRwHdyDPOn/t24dFtf3mTNbYYZTutl1:6hVPvqd6Jq4PPRwHkO/MxTNLGP

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 17 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	process
4308	takeown.exe
5084	icacls.exe
1456	icacls.exe
4864	takeown.exe
4832	icacls.exe
2392	icacls.exe
1892	icacls.exe
1556	icacls.exe
2188	icacls.exe
3824	takeown.exe
1444	takeown.exe
3260	icacls.exe
432	icacls.exe
1972	icacls.exe
3524	icacls.exe
1776	takeown.exe
1984	takeown.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
4308	takeown.exe
1556	icacls.exe
2188	icacls.exe
3824	takeown.exe
3524	icacls.exe
3260	icacls.exe
1776	takeown.exe
1972	icacls.exe
4864	takeown.exe
4832	icacls.exe
2392	icacls.exe
1444	takeown.exe
1892	icacls.exe
1456	icacls.exe
5084	icacls.exe
1984	takeown.exe
432	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\bauff.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
File opened for modification	\??\c:\windows\SysWOW64\bauff.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4308	takeown.exe
Token: SeTakeOwnershipPrivilege	1444	takeown.exe
Token: SeTakeOwnershipPrivilege	1776	takeown.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeTakeOwnershipPrivilege	3824	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

pid process

3844 eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

pid	process
3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe

description	pid	process	target process
PID 3844 wrote to memory of 4864	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 4864	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 4864	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 4832	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 4832	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 4832	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 4308	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 4308	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 4308	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 2392	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 2392	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 2392	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 5084	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 5084	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 5084	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1444	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1444	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1444	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 3260	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 3260	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 3260	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1892	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1892	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1892	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1776	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1776	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1776	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1556	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1556	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1556	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1456	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1456	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1456	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1984	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1984	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1984	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 432	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 432	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 432	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 2188	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 2188	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 2188	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 3824	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 3824	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 3824	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	takeown.exe
PID 3844 wrote to memory of 1972	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1972	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 1972	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 3524	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 3524	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe
PID 3844 wrote to memory of 3524	3844	eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe
"C:\Users\Admin\AppData\Local\Temp\eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\bauff.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4864

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\bauff.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4832

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5084

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2392

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1892

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3260

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1556

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1456

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:432

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2188

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1972

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\bauff.exe
Filesize
60KB

MD5
a3b3442a79850d25604f1bf4a2196270

SHA1
f792cbb49ffc54f17cd03b6ebc53632d5c9a2687

SHA256
eb92006fa90add0142e53a6ac44a53cf8e475c0914359542734319d9c8e4f358

SHA512
a5e4cd80c754361baac3d26210cf738cfe4e24b2a5256fe8ebb87c9b6027a742aabb40bc02be162fd12d8d1c975be50d6b7138073fed585127d8c2aba8fdac1d

Download Submit
memory/432-147-0x0000000000000000-mapping.dmp

Download
memory/1444-140-0x0000000000000000-mapping.dmp

Download
memory/1456-145-0x0000000000000000-mapping.dmp

Download
memory/1556-144-0x0000000000000000-mapping.dmp

Download
memory/1776-143-0x0000000000000000-mapping.dmp

Download
memory/1892-142-0x0000000000000000-mapping.dmp

Download
memory/1972-150-0x0000000000000000-mapping.dmp

Download
memory/1984-146-0x0000000000000000-mapping.dmp

Download
memory/2188-148-0x0000000000000000-mapping.dmp

Download
memory/2392-138-0x0000000000000000-mapping.dmp

Download
memory/3260-141-0x0000000000000000-mapping.dmp

Download
memory/3524-151-0x0000000000000000-mapping.dmp

Download
memory/3824-149-0x0000000000000000-mapping.dmp

Download
memory/4308-137-0x0000000000000000-mapping.dmp

Download
memory/4832-135-0x0000000000000000-mapping.dmp

Download
memory/4864-134-0x0000000000000000-mapping.dmp

Download
memory/5084-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads