Analysis
-
max time kernel
150s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 07:29
Static task
static1
Behavioral task
behavioral1
Sample
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
Resource
win7-20221111-en
General
-
Target
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe
-
Size
60KB
-
MD5
1b42d2e302a7a4515d1a3e6f07f83731
-
SHA1
1eebd3649a421f2c3a7104f6335c9878c86f37e7
-
SHA256
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301
-
SHA512
899f1c221c01ad1a98071fe8f59be19dd1001e10046b9c41244a80b4ecbf2de9a240fb0adb17adc5090bf8e320f9937f8bc9844c32bf7f8134678652d3c4cdf2
-
SSDEEP
768:NYi/INlRKoWfh0EADKL6dxzhk7aSIUiC1ZPLG/xRi0IT8FI3CKqUxNZHs:ND/IN2h/U1AIUiC1Z6/Wx8QRqwjHs
Malware Config
Signatures
-
Possible privilege escalation attempt 17 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 2488 takeown.exe 1596 icacls.exe 3248 icacls.exe 2128 icacls.exe 2140 icacls.exe 4136 icacls.exe 2120 takeown.exe 2284 icacls.exe 648 takeown.exe 3156 icacls.exe 4844 takeown.exe 3984 icacls.exe 3996 takeown.exe 4152 takeown.exe 2312 icacls.exe 5092 icacls.exe 3276 icacls.exe -
Modifies file permissions 1 TTPs 17 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exepid process 2488 takeown.exe 2284 icacls.exe 4136 icacls.exe 3248 icacls.exe 3276 icacls.exe 2312 icacls.exe 3984 icacls.exe 2140 icacls.exe 648 takeown.exe 4152 takeown.exe 4844 takeown.exe 3996 takeown.exe 5092 icacls.exe 1596 icacls.exe 3156 icacls.exe 2120 takeown.exe 2128 icacls.exe -
Drops file in System32 directory 6 IoCs
Processes:
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exedescription ioc process File opened for modification \??\c:\windows\SysWOW64\cytub.exe d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe File opened for modification C:\Windows\SysWOW64\cmd.exe d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe File opened for modification C:\Windows\SysWOW64\ftp.exe d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe File opened for modification C:\Windows\SysWOW64\wscript.exe d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe File opened for modification C:\Windows\SysWOW64\cscript.exe d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe File created \??\c:\windows\SysWOW64\cytub.exe d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4152 takeown.exe Token: SeTakeOwnershipPrivilege 4844 takeown.exe Token: SeTakeOwnershipPrivilege 3996 takeown.exe Token: SeTakeOwnershipPrivilege 648 takeown.exe Token: SeTakeOwnershipPrivilege 2120 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exepid process 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exedescription pid process target process PID 1348 wrote to memory of 2488 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2488 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2488 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 1596 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 1596 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 1596 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 4152 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 4152 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 4152 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2312 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2312 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2312 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3156 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3156 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3156 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 4844 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 4844 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 4844 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2140 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2140 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2140 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3984 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3984 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3984 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3996 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 3996 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 3996 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 5092 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 5092 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 5092 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2284 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2284 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2284 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 648 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 648 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 648 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 3248 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3248 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3248 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 4136 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 4136 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 4136 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2120 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2120 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2120 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe takeown.exe PID 1348 wrote to memory of 2128 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2128 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 2128 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3276 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3276 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe PID 1348 wrote to memory of 3276 1348 d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe"C:\Users\Admin\AppData\Local\Temp\d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "c:\windows\system32\cytub.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "c:\windows\system32\cytub.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\windows\SysWOW64\cytub.exeFilesize
60KB
MD51b42d2e302a7a4515d1a3e6f07f83731
SHA11eebd3649a421f2c3a7104f6335c9878c86f37e7
SHA256d0c2100d2adc7086ccaae6cd978893c61d1e3325722426fc691faef321629301
SHA512899f1c221c01ad1a98071fe8f59be19dd1001e10046b9c41244a80b4ecbf2de9a240fb0adb17adc5090bf8e320f9937f8bc9844c32bf7f8134678652d3c4cdf2
-
memory/648-146-0x0000000000000000-mapping.dmp
-
memory/1596-135-0x0000000000000000-mapping.dmp
-
memory/2120-149-0x0000000000000000-mapping.dmp
-
memory/2128-150-0x0000000000000000-mapping.dmp
-
memory/2140-141-0x0000000000000000-mapping.dmp
-
memory/2284-145-0x0000000000000000-mapping.dmp
-
memory/2312-138-0x0000000000000000-mapping.dmp
-
memory/2488-134-0x0000000000000000-mapping.dmp
-
memory/3156-139-0x0000000000000000-mapping.dmp
-
memory/3248-147-0x0000000000000000-mapping.dmp
-
memory/3276-151-0x0000000000000000-mapping.dmp
-
memory/3984-142-0x0000000000000000-mapping.dmp
-
memory/3996-143-0x0000000000000000-mapping.dmp
-
memory/4136-148-0x0000000000000000-mapping.dmp
-
memory/4152-137-0x0000000000000000-mapping.dmp
-
memory/4844-140-0x0000000000000000-mapping.dmp
-
memory/5092-144-0x0000000000000000-mapping.dmp