a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c

Analysis

max time kernel
46s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
Size

64KB
MD5

19c3865c06159ff24bc7f49c067da306
SHA1

04804e390fb4f0e6264903808b089dcd4700605b
SHA256

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c
SHA512

a8d86157715466916d93bca3ef3bd9da48e39d8178b1e421b9ae067a49b62f15d729848201be72d9a1842e13f5aa717edb2c80c0dd08b5d435f24a6f00beadc9
SSDEEP

768:z38+NFO7RMrbFZiQeh0Sx08mmg9NDzHPFRZbBqorrfw3wenva1AT54B3/dVDDe0o:zs+XkOX0iZmWnbatF69Bj7/4z3

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1752 takeown.exe
1932 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1752 takeown.exe
1932 icacls.exe

pid	process
1752	takeown.exe
1932	icacls.exe

pid	process
1752	takeown.exe
1932	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\tcyx.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
File opened for modification	C:\Windows\SysWOW64\tcyx.exe	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

pid process

1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

pid	process
1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe

description	pid	process	target process
PID 1448 wrote to memory of 1752	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 1448 wrote to memory of 1752	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 1448 wrote to memory of 1752	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 1448 wrote to memory of 1752	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	takeown.exe
PID 1448 wrote to memory of 1932	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 1448 wrote to memory of 1932	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 1448 wrote to memory of 1932	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe
PID 1448 wrote to memory of 1932	1448	a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
"C:\Users\Admin\AppData\Local\Temp\a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\takeown.exe
C:\Windows\system32\takeown.exe /f "C:\Windows\system32\tcyx.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\icacls.exe
C:\Windows\system32\icacls.exe "C:\Windows\system32\tcyx.exe" /grant SYSTEM:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1932

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tcyx.exe
Filesize
64KB

MD5
19c3865c06159ff24bc7f49c067da306

SHA1
04804e390fb4f0e6264903808b089dcd4700605b

SHA256
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c

SHA512
a8d86157715466916d93bca3ef3bd9da48e39d8178b1e421b9ae067a49b62f15d729848201be72d9a1842e13f5aa717edb2c80c0dd08b5d435f24a6f00beadc9

Download Submit
memory/1448-56-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1752-57-0x0000000000000000-mapping.dmp

Download
memory/1932-59-0x0000000000000000-mapping.dmp

Download