3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d

General

Target

3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
Size

60KB
MD5

32bc0de29c2dc883d3975d64cc173420
SHA1

11ed5a99aba0928280212df3a9e4fceaef3823ed
SHA256

3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d
SHA512

1b8509548c2304062c8fb343412d2d1734f2625546d6121645cad373614c6caffff6fb20210226925b64eecb0e918d2e3fea8347f2940bf1e7d87a06bdf72e48
SSDEEP

768:rHp60gHRLEzcyjzVFSAdSq6frf5hrSvwEkaKZj4X0BYKBIl2A21bICZo4:rH6xv6xds5hrNsKSUlo4

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 20 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
4584	icacls.exe
372	icacls.exe
4616	takeown.exe
3344	icacls.exe
856	takeown.exe
4948	icacls.exe
2968	icacls.exe
4824	icacls.exe
4264	icacls.exe
3628	icacls.exe
4272	takeown.exe
4364	icacls.exe
4840	takeown.exe
444	icacls.exe
3556	takeown.exe
2028	takeown.exe
4992	takeown.exe
4080	icacls.exe
4240	icacls.exe
4324	icacls.exe

Modifies file permissions 1 TTPs 20 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
4992	takeown.exe
4364	icacls.exe
4324	icacls.exe
2968	icacls.exe
4616	takeown.exe
3556	takeown.exe
2028	takeown.exe
372	icacls.exe
3628	icacls.exe
4948	icacls.exe
4584	icacls.exe
444	icacls.exe
4272	takeown.exe
856	takeown.exe
4840	takeown.exe
4080	icacls.exe
4240	icacls.exe
4824	icacls.exe
3344	icacls.exe
4264	icacls.exe

Drops file in System32 directory 6 IoCs

Processes:

3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\mexw.exe	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
File opened for modification	\??\c:\windows\SysWOW64\mexw.exe	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
File opened for modification	C:\Windows\SysWOW64\cmd.exe	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
File opened for modification	C:\Windows\SysWOW64\ftp.exe	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
File opened for modification	C:\Windows\SysWOW64\wscript.exe	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
File opened for modification	C:\Windows\SysWOW64\cscript.exe	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4840	takeown.exe
Token: SeTakeOwnershipPrivilege	2028	takeown.exe
Token: SeTakeOwnershipPrivilege	4616	takeown.exe
Token: SeTakeOwnershipPrivilege	4272	takeown.exe
Token: SeTakeOwnershipPrivilege	856	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe

pid process

4328 3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe

pid	process
4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe

description	pid	process	target process
PID 4328 wrote to memory of 4992	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4992	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4992	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4364	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4364	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4364	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4840	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4840	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4840	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 444	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 444	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 444	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4080	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4080	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4080	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3556	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 3556	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 3556	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4324	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4324	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4324	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4240	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4240	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4240	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 2028	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 2028	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 2028	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 372	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 372	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 372	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 2968	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 2968	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 2968	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4616	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4616	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4616	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4824	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4824	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4824	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3344	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3344	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3344	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4272	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4272	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4272	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4264	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4264	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4264	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3628	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3628	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 3628	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 856	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 856	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 856	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	takeown.exe
PID 4328 wrote to memory of 4948	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4948	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4948	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4584	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4584	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe
PID 4328 wrote to memory of 4584	4328	3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe
"C:\Users\Admin\AppData\Local\Temp\3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "c:\windows\system32\mexw.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4992

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "c:\windows\system32\mexw.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4364

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:444

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4080

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3556

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4240

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cmd.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4324

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:372

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2968

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4824

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3344

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4264

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3628

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4948

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\mexw.exe
Filesize
60KB

MD5
32bc0de29c2dc883d3975d64cc173420

SHA1
11ed5a99aba0928280212df3a9e4fceaef3823ed

SHA256
3cdc45cc58371789945cbd741ba2ae18bee3847c8523cc4943b650d3e53d2c1d

SHA512
1b8509548c2304062c8fb343412d2d1734f2625546d6121645cad373614c6caffff6fb20210226925b64eecb0e918d2e3fea8347f2940bf1e7d87a06bdf72e48

Download Submit
memory/372-144-0x0000000000000000-mapping.dmp

Download
memory/444-138-0x0000000000000000-mapping.dmp

Download
memory/856-152-0x0000000000000000-mapping.dmp

Download
memory/2028-143-0x0000000000000000-mapping.dmp

Download
memory/2968-145-0x0000000000000000-mapping.dmp

Download
memory/3344-148-0x0000000000000000-mapping.dmp

Download
memory/3556-140-0x0000000000000000-mapping.dmp

Download
memory/3628-151-0x0000000000000000-mapping.dmp

Download
memory/4080-139-0x0000000000000000-mapping.dmp

Download
memory/4240-142-0x0000000000000000-mapping.dmp

Download
memory/4264-150-0x0000000000000000-mapping.dmp

Download
memory/4272-149-0x0000000000000000-mapping.dmp

Download
memory/4324-141-0x0000000000000000-mapping.dmp

Download
memory/4364-135-0x0000000000000000-mapping.dmp

Download
memory/4584-154-0x0000000000000000-mapping.dmp

Download
memory/4616-146-0x0000000000000000-mapping.dmp

Download
memory/4824-147-0x0000000000000000-mapping.dmp

Download
memory/4840-137-0x0000000000000000-mapping.dmp

Download
memory/4948-153-0x0000000000000000-mapping.dmp

Download
memory/4992-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads