Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 07:52
Static task
static1
Behavioral task
behavioral1
Sample
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe
Resource
win10v2004-20220812-en
General
-
Target
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe
-
Size
48KB
-
MD5
12493d8568e0e4718f1cb98b9c926630
-
SHA1
23e6dfb75a7be7e3c6dd1abcbf517e3cca1dc3b5
-
SHA256
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb
-
SHA512
c1ffd90560134997c71098609827345e661ed908d410fc46924dc25c8751e2b5c518a33a0aba86d48855ea3691c0349b2473867d7433086264afa43629aeacf5
-
SSDEEP
768:zCIVwtym3OJt4vze9LfTUd+0yTXHa6a5+QEyTTbJXse:2I03OLuc0c0yb67WyPbRse
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1748 takeown.exe 1464 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1748 takeown.exe 1464 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gWNYQAI = "c:\\windows\\system32\\htys.exe" a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe -
Drops file in System32 directory 2 IoCs
Processes:
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exedescription ioc process File created \??\c:\windows\SysWOW64\htys.exe a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe File opened for modification \??\c:\windows\SysWOW64\htys.exe a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exepid process 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exedescription pid process target process PID 1552 wrote to memory of 1748 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe takeown.exe PID 1552 wrote to memory of 1748 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe takeown.exe PID 1552 wrote to memory of 1748 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe takeown.exe PID 1552 wrote to memory of 1748 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe takeown.exe PID 1552 wrote to memory of 1464 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe icacls.exe PID 1552 wrote to memory of 1464 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe icacls.exe PID 1552 wrote to memory of 1464 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe icacls.exe PID 1552 wrote to memory of 1464 1552 a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe"C:\Users\Admin\AppData\Local\Temp\a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\htys.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1748 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\htys.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\htys.exeFilesize
48KB
MD512493d8568e0e4718f1cb98b9c926630
SHA123e6dfb75a7be7e3c6dd1abcbf517e3cca1dc3b5
SHA256a586779fe7825ac3963f700f56783163643cf1fdda13f081d36a813566a41acb
SHA512c1ffd90560134997c71098609827345e661ed908d410fc46924dc25c8751e2b5c518a33a0aba86d48855ea3691c0349b2473867d7433086264afa43629aeacf5
-
memory/1464-57-0x0000000000000000-mapping.dmp
-
memory/1748-56-0x0000000000000000-mapping.dmp