Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 13:43
Static task
static1
Behavioral task
behavioral1
Sample
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
Resource
win7-20220812-en
General
-
Target
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe
-
Size
68KB
-
MD5
2a044541d4e9956ad433e0a48aaa0936
-
SHA1
c0f63bec4589c591fea3ab7fa7e5424a8c6aace0
-
SHA256
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854
-
SHA512
dcc4dfb5813896db4e89fe15e831b9cc17716343bb2fcf4db84b3faf0538986364ffec5ec41577aefb57cfe8a9980d82d95724876e7571bf0bbb5550d85aa19a
-
SSDEEP
768:17KVTXSlkfkq5BLLO88dBB2F0Xi+PuIs2Yd4JTHTfgzSw2S7dWJ0KwIRjz4MMUhY:MRaKBBO84E+lm7m4Mbhj6RfZIL/U
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1548 takeown.exe 1272 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1548 takeown.exe 1272 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exedescription ioc process File created C:\Windows\SysWOW64\aafb.exe 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe File opened for modification C:\Windows\SysWOW64\aafb.exe 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exepid process 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exedescription pid process target process PID 1096 wrote to memory of 1548 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe takeown.exe PID 1096 wrote to memory of 1548 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe takeown.exe PID 1096 wrote to memory of 1548 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe takeown.exe PID 1096 wrote to memory of 1548 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe takeown.exe PID 1096 wrote to memory of 1272 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe icacls.exe PID 1096 wrote to memory of 1272 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe icacls.exe PID 1096 wrote to memory of 1272 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe icacls.exe PID 1096 wrote to memory of 1272 1096 46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe"C:\Users\Admin\AppData\Local\Temp\46d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\aafb.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1548 -
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\aafb.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\aafb.exeFilesize
68KB
MD52a044541d4e9956ad433e0a48aaa0936
SHA1c0f63bec4589c591fea3ab7fa7e5424a8c6aace0
SHA25646d813b85cfc3e0d69b3fc7e25a047cf4b7c6802171eff1c217f196ee61c1854
SHA512dcc4dfb5813896db4e89fe15e831b9cc17716343bb2fcf4db84b3faf0538986364ffec5ec41577aefb57cfe8a9980d82d95724876e7571bf0bbb5550d85aa19a
-
memory/1096-56-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/1272-59-0x0000000000000000-mapping.dmp
-
memory/1548-57-0x0000000000000000-mapping.dmp