Analysis

  • max time kernel
    70s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 17:52

General

  • Target

    c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe

  • Size

    72KB

  • MD5

    81a13f9d7efa8f86332cb8f897df2a46

  • SHA1

    d0f11013eca20c750ae74456ed17fb2b010c5e23

  • SHA256

    c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf

  • SHA512

    189cc022b5bbd0548f2d76790ed7460c33b84a6806ca37609a4a38372a7dc9ade677ec1b154a90d64988e0e8176180310fe24f707fb3a79924be99ecbcfb822d

  • SSDEEP

    768:7h8akJlX0iPhUUqMtGUcwNttsvWTd9DO13rqMDs08PmXFwXxuFyQ/b11HzoN8Otx:7uaEvhUUFC3elPUCuFy+11cNXt47cL

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 34 IoCs
  • Modifies file permissions 1 TTPs 34 IoCs
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe
    "C:\Users\Admin\AppData\Local\Temp\c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\SysWOW64\takeown.exe
      C:\Windows\system32\takeown.exe /f "C:\Windows\system32\ngfs.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1628
    • C:\Windows\SysWOW64\icacls.exe
      C:\Windows\system32\icacls.exe "C:\Windows\system32\ngfs.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:5012
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:2832
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:3904
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1004
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1736
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3516
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3316
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\wscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4676
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1476
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\wscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2420
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3584
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4028
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4300
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\System32\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1668
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4288
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1280
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3432
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\cmd.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3364
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:4872
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\ftp.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\ftp.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1900
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:4568
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3124
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:228
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\wscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:332
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:1328
    • C:\Windows\SysWOW64\takeown.exe
      takeown.exe /f "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      • Suspicious use of AdjustPrivilegeToken
      PID:2208
    • C:\Windows\SysWOW64\icacls.exe
      icacls.exe "C:\Windows\SysWOW64\cscript.exe" /grant SYSTEM:F
      2⤵
      • Possible privilege escalation attempt
      • Modifies file permissions
      PID:3616

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

File Permissions Modification

1
T1222

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ngfs.exe
    Filesize

    72KB

    MD5

    81a13f9d7efa8f86332cb8f897df2a46

    SHA1

    d0f11013eca20c750ae74456ed17fb2b010c5e23

    SHA256

    c923ede30305d1521c18de24237df6d583cef2598c17a16c54f3605e0a7deeaf

    SHA512

    189cc022b5bbd0548f2d76790ed7460c33b84a6806ca37609a4a38372a7dc9ade677ec1b154a90d64988e0e8176180310fe24f707fb3a79924be99ecbcfb822d

  • memory/228-163-0x0000000000000000-mapping.dmp
  • memory/332-164-0x0000000000000000-mapping.dmp
  • memory/1004-140-0x0000000000000000-mapping.dmp
  • memory/1040-159-0x0000000000000000-mapping.dmp
  • memory/1236-143-0x0000000000000000-mapping.dmp
  • memory/1280-153-0x0000000000000000-mapping.dmp
  • memory/1328-166-0x0000000000000000-mapping.dmp
  • memory/1476-146-0x0000000000000000-mapping.dmp
  • memory/1628-134-0x0000000000000000-mapping.dmp
  • memory/1668-151-0x0000000000000000-mapping.dmp
  • memory/1700-155-0x0000000000000000-mapping.dmp
  • memory/1736-141-0x0000000000000000-mapping.dmp
  • memory/1900-160-0x0000000000000000-mapping.dmp
  • memory/2060-137-0x0000000000000000-mapping.dmp
  • memory/2160-165-0x0000000000000000-mapping.dmp
  • memory/2208-167-0x0000000000000000-mapping.dmp
  • memory/2420-147-0x0000000000000000-mapping.dmp
  • memory/2768-157-0x0000000000000000-mapping.dmp
  • memory/2832-138-0x0000000000000000-mapping.dmp
  • memory/3124-162-0x0000000000000000-mapping.dmp
  • memory/3316-144-0x0000000000000000-mapping.dmp
  • memory/3364-156-0x0000000000000000-mapping.dmp
  • memory/3432-154-0x0000000000000000-mapping.dmp
  • memory/3516-142-0x0000000000000000-mapping.dmp
  • memory/3584-148-0x0000000000000000-mapping.dmp
  • memory/3616-168-0x0000000000000000-mapping.dmp
  • memory/3904-139-0x0000000000000000-mapping.dmp
  • memory/4028-149-0x0000000000000000-mapping.dmp
  • memory/4288-152-0x0000000000000000-mapping.dmp
  • memory/4300-150-0x0000000000000000-mapping.dmp
  • memory/4568-161-0x0000000000000000-mapping.dmp
  • memory/4676-145-0x0000000000000000-mapping.dmp
  • memory/4872-158-0x0000000000000000-mapping.dmp
  • memory/5012-136-0x0000000000000000-mapping.dmp