46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
Size

68KB
MD5

2a044541d4e9956ad433e0a48aaa0936
SHA1

c0f63bec4589c591fea3ab7fa7e5424a8c6aace0
SHA256

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854
SHA512

dcc4dfb5813896db4e89fe15e831b9cc17716343bb2fcf4db84b3faf0538986364ffec5ec41577aefb57cfe8a9980d82d95724876e7571bf0bbb5550d85aa19a
SSDEEP

768:17KVTXSlkfkq5BLLO88dBB2F0Xi+PuIs2Yd4JTHTfgzSw2S7dWJ0KwIRjz4MMUhY:MRaKBBO84E+lm7m4Mbhj6RfZIL/U

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1548 takeown.exe
1272 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1548 takeown.exe
1272 icacls.exe

pid	process
1548	takeown.exe
1272	icacls.exe

pid	process
1548	takeown.exe
1272	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

description	ioc	process
File created	C:\Windows\SysWOW64\aafb.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
File opened for modification	C:\Windows\SysWOW64\aafb.exe	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

pid process

1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

pid	process
1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe

description	pid	process	target process
PID 1096 wrote to memory of 1548	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 1096 wrote to memory of 1548	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 1096 wrote to memory of 1548	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 1096 wrote to memory of 1548	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	takeown.exe
PID 1096 wrote to memory of 1272	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 1096 wrote to memory of 1272	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 1096 wrote to memory of 1272	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe
PID 1096 wrote to memory of 1272	1096	46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
"C:\Users\Admin\AppData\Local\Temp\46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\aafb.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1548

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\aafb.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1272

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aafb.exe
Filesize
68KB

MD5
2a044541d4e9956ad433e0a48aaa0936

SHA1
c0f63bec4589c591fea3ab7fa7e5424a8c6aace0

SHA256
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854

SHA512
dcc4dfb5813896db4e89fe15e831b9cc17716343bb2fcf4db84b3faf0538986364ffec5ec41577aefb57cfe8a9980d82d95724876e7571bf0bbb5550d85aa19a

Download Submit
memory/1096-56-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1272-59-0x0000000000000000-mapping.dmp

Download
memory/1548-57-0x0000000000000000-mapping.dmp

Download