Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 09:49
Static task
static1
Behavioral task
behavioral1
Sample
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe
Resource
win10v2004-20220901-en
General
-
Target
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe
-
Size
52KB
-
MD5
3b25ea812162be530e7f824533765a20
-
SHA1
68f5d8cbf8517b0f06468c9d0d6d585072fd69b5
-
SHA256
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112
-
SHA512
de7eb93de8e417e8f4de0143e60bd3be80ac75732166af72b9114119ab24ca4bb16d68d6c7f198d90fafe4e580a4b163be7aff70614f86eca20a01ef78b2e1e8
-
SSDEEP
768:y/5aFey0/zxNwYRx6Y9dgs9C1PnnD/nhcAZqWdXmCVuCKqP1p0zbX9o:45aYz/z3XxUD/zhqQpiz9o
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4896 takeown.exe 4928 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4896 takeown.exe 4928 icacls.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TxkJffM = "c:\\windows\\system32\\glgip.exe" 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe -
Drops file in System32 directory 2 IoCs
Processes:
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exedescription ioc process File created \??\c:\windows\SysWOW64\glgip.exe 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe File opened for modification \??\c:\windows\SysWOW64\glgip.exe 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exepid process 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exedescription pid process target process PID 4396 wrote to memory of 4896 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe takeown.exe PID 4396 wrote to memory of 4896 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe takeown.exe PID 4396 wrote to memory of 4896 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe takeown.exe PID 4396 wrote to memory of 4928 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe icacls.exe PID 4396 wrote to memory of 4928 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe icacls.exe PID 4396 wrote to memory of 4928 4396 062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe"C:\Users\Admin\AppData\Local\Temp\062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\glgip.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\glgip.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\glgip.exeFilesize
52KB
MD53b25ea812162be530e7f824533765a20
SHA168f5d8cbf8517b0f06468c9d0d6d585072fd69b5
SHA256062bc64797be336ea88d6b177254c2f458a2145695da0bc7a099f11295e5f112
SHA512de7eb93de8e417e8f4de0143e60bd3be80ac75732166af72b9114119ab24ca4bb16d68d6c7f198d90fafe4e580a4b163be7aff70614f86eca20a01ef78b2e1e8
-
memory/4896-134-0x0000000000000000-mapping.dmp
-
memory/4928-135-0x0000000000000000-mapping.dmp