d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e

Analysis

max time kernel
167s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
Size

60KB
MD5

18abea593164d09b9d49d0ff04c4a9a0
SHA1

a2516bccaf00df69890f34f1561b3c03a1330ce3
SHA256

d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e
SHA512

0e100a4dcc678b5e112f3d6947485c67d0719cd297c39bd38793661af6d3f03fd05e72829a2aa68361cc243f52b3449d506073b8e9829d6465d3b29830930b6f
SSDEEP

768:EWTiDEeofg2LBs0s4ZxDx6x7rbeDPjga8mJ5ZQ5YfKloCoxTxExVx6xhcYl/x7Z6:EWTiclZpMhw7NDJU4FCTQ/cYl7b2

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 17 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
2172	takeown.exe
1808	takeown.exe
2724	icacls.exe
4868	icacls.exe
3800	icacls.exe
4464	icacls.exe
4232	icacls.exe
4004	icacls.exe
2644	icacls.exe
4164	takeown.exe
2892	takeown.exe
2204	icacls.exe
4956	icacls.exe
920	takeown.exe
4472	icacls.exe
2072	icacls.exe
2796	takeown.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
920	takeown.exe
4868	icacls.exe
4472	icacls.exe
2644	icacls.exe
4164	takeown.exe
1808	takeown.exe
4004	icacls.exe
3800	icacls.exe
2724	icacls.exe
4464	icacls.exe
2892	takeown.exe
2796	takeown.exe
4956	icacls.exe
2172	takeown.exe
2072	icacls.exe
4232	icacls.exe
2204	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wscript.exe	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
File created	\??\c:\windows\SysWOW64\ajbo.exe	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
File opened for modification	\??\c:\windows\SysWOW64\ajbo.exe	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeTakeOwnershipPrivilege	2172	takeown.exe
Token: SeTakeOwnershipPrivilege	4164	takeown.exe
Token: SeTakeOwnershipPrivilege	2892	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe

pid process

472 d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe

pid	process
472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe

description	pid	process	target process
PID 472 wrote to memory of 2796	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2796	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2796	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 4956	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4956	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4956	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 920	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 920	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 920	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 4868	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4868	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4868	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4472	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4472	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4472	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2172	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2172	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2172	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 4004	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4004	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4004	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2644	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2644	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2644	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4164	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 4164	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 4164	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 3800	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 3800	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 3800	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2072	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2072	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2072	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 1808	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 1808	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 1808	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2724	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2724	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2724	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4464	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4464	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4464	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2892	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2892	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2892	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	takeown.exe
PID 472 wrote to memory of 2204	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2204	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 2204	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4232	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4232	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe
PID 472 wrote to memory of 4232	472	d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe
"C:\Users\Admin\AppData\Local\Temp\d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:472
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "c:\windows\system32\ajbo.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2796
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "c:\windows\system32\ajbo.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4956
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4868
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4472
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2644
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4004
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3800
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2072
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1808
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2724
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4464
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4232
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\ajbo.exe

Filesize
60KB

MD5
18abea593164d09b9d49d0ff04c4a9a0

SHA1
a2516bccaf00df69890f34f1561b3c03a1330ce3

SHA256
d3c5e442c605f44440694eab07d8a1d11f59c1a004357ad683a535a4583da69e

SHA512
0e100a4dcc678b5e112f3d6947485c67d0719cd297c39bd38793661af6d3f03fd05e72829a2aa68361cc243f52b3449d506073b8e9829d6465d3b29830930b6f

Download Submit
memory/920-137-0x0000000000000000-mapping.dmp

Download
memory/1808-146-0x0000000000000000-mapping.dmp

Download
memory/2072-145-0x0000000000000000-mapping.dmp

Download
memory/2172-140-0x0000000000000000-mapping.dmp

Download
memory/2204-150-0x0000000000000000-mapping.dmp

Download
memory/2644-142-0x0000000000000000-mapping.dmp

Download
memory/2724-147-0x0000000000000000-mapping.dmp

Download
memory/2796-134-0x0000000000000000-mapping.dmp

Download
memory/2892-149-0x0000000000000000-mapping.dmp

Download
memory/3800-144-0x0000000000000000-mapping.dmp

Download
memory/4004-141-0x0000000000000000-mapping.dmp

Download
memory/4164-143-0x0000000000000000-mapping.dmp

Download
memory/4232-151-0x0000000000000000-mapping.dmp

Download
memory/4464-148-0x0000000000000000-mapping.dmp

Download
memory/4472-139-0x0000000000000000-mapping.dmp

Download
memory/4868-138-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x0000000000000000-mapping.dmp

Download