Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-11-2022 09:13
Static task
static1
Behavioral task
behavioral1
Sample
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
Resource
win7-20220812-en
General
-
Target
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe
-
Size
68KB
-
MD5
09c9cc3ad2ce8533dc525922f59ba5f1
-
SHA1
287b44545e7e3c350f228959675a6499d6bf4a91
-
SHA256
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b
-
SHA512
fb33f8f5b80910485f726dfa90a2d3cc828bbaaf0b5269ce2669d3995bffa5c1c3fc23fde8b3a1f09d619805cb360fd9bd380f8775bfbae53ab0ba82c94a9e18
-
SSDEEP
768:tGv4faI/ytd7rUBTdHt+rfG6EJtbOrwcJzjIjIV/gBxHEcI9S9yoJ8q7jSpRNHYp:tGv4fa4b5Oc3awKkqGsXkA1OS4TEBO
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 988 takeown.exe 2032 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 988 takeown.exe 2032 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exedescription ioc process File created C:\Windows\SysWOW64\bbvcb.exe 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe File opened for modification C:\Windows\SysWOW64\bbvcb.exe 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exepid process 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exedescription pid process target process PID 1056 wrote to memory of 988 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe takeown.exe PID 1056 wrote to memory of 988 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe takeown.exe PID 1056 wrote to memory of 988 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe takeown.exe PID 1056 wrote to memory of 988 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe takeown.exe PID 1056 wrote to memory of 2032 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe icacls.exe PID 1056 wrote to memory of 2032 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe icacls.exe PID 1056 wrote to memory of 2032 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe icacls.exe PID 1056 wrote to memory of 2032 1056 39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe"C:\Users\Admin\AppData\Local\Temp\39aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\bbvcb.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\bbvcb.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\bbvcb.exeFilesize
68KB
MD509c9cc3ad2ce8533dc525922f59ba5f1
SHA1287b44545e7e3c350f228959675a6499d6bf4a91
SHA25639aceb963760988635fcf227270bca696480b52c347cba8f1562abb71d84915b
SHA512fb33f8f5b80910485f726dfa90a2d3cc828bbaaf0b5269ce2669d3995bffa5c1c3fc23fde8b3a1f09d619805cb360fd9bd380f8775bfbae53ab0ba82c94a9e18
-
memory/988-57-0x0000000000000000-mapping.dmp
-
memory/1056-56-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB
-
memory/2032-59-0x0000000000000000-mapping.dmp