d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301

General

Target

d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
Size

60KB
MD5

1b42d2e302a7a4515d1a3e6f07f83731
SHA1

1eebd3649a421f2c3a7104f6335c9878c86f37e7
SHA256

d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301
SHA512

899f1c221c01ad1a98071fe8f59be19dd1001e10046b9c41244a80b4ecbf2de9a240fb0adb17adc5090bf8e320f9937f8bc9844c32bf7f8134678652d3c4cdf2
SSDEEP

768:NYi/INlRKoWfh0EADKL6dxzhk7aSIUiC1ZPLG/xRi0IT8FI3CKqUxNZHs:ND/IN2h/U1AIUiC1Z6/Wx8QRqwjHs

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 17 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
2488	takeown.exe
1596	icacls.exe
3248	icacls.exe
2128	icacls.exe
2140	icacls.exe
4136	icacls.exe
2120	takeown.exe
2284	icacls.exe
648	takeown.exe
3156	icacls.exe
4844	takeown.exe
3984	icacls.exe
3996	takeown.exe
4152	takeown.exe
2312	icacls.exe
5092	icacls.exe
3276	icacls.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2488	takeown.exe
2284	icacls.exe
4136	icacls.exe
3248	icacls.exe
3276	icacls.exe
2312	icacls.exe
3984	icacls.exe
2140	icacls.exe
648	takeown.exe
4152	takeown.exe
4844	takeown.exe
3996	takeown.exe
5092	icacls.exe
1596	icacls.exe
3156	icacls.exe
2120	takeown.exe
2128	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe

description	ioc	process
File opened for modification	\??\c:\windows\SysWOW64\cytub.exe	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
File created	\??\c:\windows\SysWOW64\cytub.exe	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4152	takeown.exe
Token: SeTakeOwnershipPrivilege	4844	takeown.exe
Token: SeTakeOwnershipPrivilege	3996	takeown.exe
Token: SeTakeOwnershipPrivilege	648	takeown.exe
Token: SeTakeOwnershipPrivilege	2120	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe

pid process

1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe

pid	process
1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe

description	pid	process	target process
PID 1348 wrote to memory of 2488	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2488	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2488	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 1596	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 1596	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 1596	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 4152	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 4152	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 4152	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2312	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2312	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2312	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3156	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3156	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3156	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 4844	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 4844	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 4844	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2140	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2140	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2140	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3984	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3984	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3984	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3996	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 3996	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 3996	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 5092	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 5092	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 5092	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2284	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2284	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2284	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 648	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 648	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 648	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 3248	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3248	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3248	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 4136	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 4136	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 4136	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2120	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2120	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2120	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	takeown.exe
PID 1348 wrote to memory of 2128	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2128	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 2128	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3276	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3276	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe
PID 1348 wrote to memory of 3276	1348	d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
"C:\Users\Admin\AppData\Local\Temp\d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\cytub.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2488

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\cytub.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1596

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2312

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3156

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3984

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2140

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2284

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5092

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4136

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3248

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3276

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\cytub.exe
Filesize
60KB

MD5
1b42d2e302a7a4515d1a3e6f07f83731

SHA1
1eebd3649a421f2c3a7104f6335c9878c86f37e7

SHA256
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301

SHA512
899f1c221c01ad1a98071fe8f59be19dd1001e10046b9c41244a80b4ecbf2de9a240fb0adb17adc5090bf8e320f9937f8bc9844c32bf7f8134678652d3c4cdf2

Download Submit
memory/648-146-0x0000000000000000-mapping.dmp

Download
memory/1596-135-0x0000000000000000-mapping.dmp

Download
memory/2120-149-0x0000000000000000-mapping.dmp

Download
memory/2128-150-0x0000000000000000-mapping.dmp

Download
memory/2140-141-0x0000000000000000-mapping.dmp

Download
memory/2284-145-0x0000000000000000-mapping.dmp

Download
memory/2312-138-0x0000000000000000-mapping.dmp

Download
memory/2488-134-0x0000000000000000-mapping.dmp

Download
memory/3156-139-0x0000000000000000-mapping.dmp

Download
memory/3248-147-0x0000000000000000-mapping.dmp

Download
memory/3276-151-0x0000000000000000-mapping.dmp

Download
memory/3984-142-0x0000000000000000-mapping.dmp

Download
memory/3996-143-0x0000000000000000-mapping.dmp

Download
memory/4136-148-0x0000000000000000-mapping.dmp

Download
memory/4152-137-0x0000000000000000-mapping.dmp

Download
memory/4844-140-0x0000000000000000-mapping.dmp

Download
memory/5092-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads