Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 07:19
Static task
static1
Behavioral task
behavioral1
Sample
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
Resource
win7-20220812-en
General
-
Target
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
-
Size
60KB
-
MD5
18abea593164d09b9d49d0ff04c4a9a0
-
SHA1
a2516bccaf00df69890f34f1561b3c03a1330ce3
-
SHA256
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e
-
SHA512
0e100a4dcc678b5e112f3d6947485c67d0719cd297c39bd38793661af6d3f03fd05e72829a2aa68361cc243f52b3449d506073b8e9829d6465d3b29830930b6f
-
SSDEEP
768:EWTiDEeofg2LBs0s4ZxDx6x7rbeDPjga8mJ5ZQ5YfKloCoxTxExVx6xhcYl/x7Z6:EWTiclZpMhw7NDJU4FCTQ/cYl7b2
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 900 takeown.exe 1984 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 900 takeown.exe 1984 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exedescription ioc process File created \??\c:\windows\SysWOW64\ajbo.exe d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe File opened for modification \??\c:\windows\SysWOW64\ajbo.exe d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exepid process 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exedescription pid process target process PID 1884 wrote to memory of 900 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe takeown.exe PID 1884 wrote to memory of 900 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe takeown.exe PID 1884 wrote to memory of 900 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe takeown.exe PID 1884 wrote to memory of 900 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe takeown.exe PID 1884 wrote to memory of 1984 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe icacls.exe PID 1884 wrote to memory of 1984 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe icacls.exe PID 1884 wrote to memory of 1984 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe icacls.exe PID 1884 wrote to memory of 1984 1884 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe"C:\Users\Admin\AppData\Local\Temp\d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\ajbo.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:900 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\ajbo.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\ajbo.exeFilesize
60KB
MD518abea593164d09b9d49d0ff04c4a9a0
SHA1a2516bccaf00df69890f34f1561b3c03a1330ce3
SHA256d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e
SHA5120e100a4dcc678b5e112f3d6947485c67d0719cd297c39bd38793661af6d3f03fd05e72829a2aa68361cc243f52b3449d506073b8e9829d6465d3b29830930b6f
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/1984-57-0x0000000000000000-mapping.dmp