39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
Size

68KB
MD5

09c9cc3ad2ce8533dc525922f59ba5f1
SHA1

287b44545e7e3c350f228959675a6499d6bf4a91
SHA256

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b
SHA512

fb33f8f5b80910485f726dfa90a2d3cc828bbaaf0b5269ce2669d3995bffa5c1c3fc23fde8b3a1f09d619805cb360fd9bd380f8775bfbae53ab0ba82c94a9e18
SSDEEP

768:tGv4faI/ytd7rUBTdHt+rfG6EJtbOrwcJzjIjIV/gBxHEcI9S9yoJ8q7jSpRNHYp:tGv4fa4b5Oc3awKkqGsXkA1OS4TEBO

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

988 takeown.exe
2032 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

988 takeown.exe
2032 icacls.exe

pid	process
988	takeown.exe
2032	icacls.exe

pid	process
988	takeown.exe
2032	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\bbvcb.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
File opened for modification	C:\Windows\SysWOW64\bbvcb.exe	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

pid process

1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

pid	process
1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe

description	pid	process	target process
PID 1056 wrote to memory of 988	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 1056 wrote to memory of 988	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 1056 wrote to memory of 988	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 1056 wrote to memory of 988	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	takeown.exe
PID 1056 wrote to memory of 2032	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 1056 wrote to memory of 2032	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 1056 wrote to memory of 2032	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe
PID 1056 wrote to memory of 2032	1056	39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
"C:\Users\Admin\AppData\Local\Temp\39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\bbvcb.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:988

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\bbvcb.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bbvcb.exe
Filesize
68KB

MD5
09c9cc3ad2ce8533dc525922f59ba5f1

SHA1
287b44545e7e3c350f228959675a6499d6bf4a91

SHA256
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b

SHA512
fb33f8f5b80910485f726dfa90a2d3cc828bbaaf0b5269ce2669d3995bffa5c1c3fc23fde8b3a1f09d619805cb360fd9bd380f8775bfbae53ab0ba82c94a9e18

Download Submit
memory/988-57-0x0000000000000000-mapping.dmp

Download
memory/1056-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download