Analysis
-
max time kernel
46s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
Resource
win7-20220901-en
General
-
Target
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe
-
Size
64KB
-
MD5
19c3865c06159ff24bc7f49c067da306
-
SHA1
04804e390fb4f0e6264903808b089dcd4700605b
-
SHA256
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c
-
SHA512
a8d86157715466916d93bca3ef3bd9da48e39d8178b1e421b9ae067a49b62f15d729848201be72d9a1842e13f5aa717edb2c80c0dd08b5d435f24a6f00beadc9
-
SSDEEP
768:z38+NFO7RMrbFZiQeh0Sx08mmg9NDzHPFRZbBqorrfw3wenva1AT54B3/dVDDe0o:zs+XkOX0iZmWnbatF69Bj7/4z3
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1752 takeown.exe 1932 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1752 takeown.exe 1932 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exedescription ioc process File created C:\Windows\SysWOW64\tcyx.exe a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe File opened for modification C:\Windows\SysWOW64\tcyx.exe a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exepid process 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exedescription pid process target process PID 1448 wrote to memory of 1752 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe takeown.exe PID 1448 wrote to memory of 1752 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe takeown.exe PID 1448 wrote to memory of 1752 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe takeown.exe PID 1448 wrote to memory of 1752 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe takeown.exe PID 1448 wrote to memory of 1932 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe icacls.exe PID 1448 wrote to memory of 1932 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe icacls.exe PID 1448 wrote to memory of 1932 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe icacls.exe PID 1448 wrote to memory of 1932 1448 a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe"C:\Users\Admin\AppData\Local\Temp\a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /f "C:\Windows\system32\tcyx.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe "C:\Windows\system32\tcyx.exe" /grant SYSTEM:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\tcyx.exeFilesize
64KB
MD519c3865c06159ff24bc7f49c067da306
SHA104804e390fb4f0e6264903808b089dcd4700605b
SHA256a1bffce8bbbfd84aeff8292df94ff1afe2e9e7a355d96832a20875aea1f5af8c
SHA512a8d86157715466916d93bca3ef3bd9da48e39d8178b1e421b9ae067a49b62f15d729848201be72d9a1842e13f5aa717edb2c80c0dd08b5d435f24a6f00beadc9
-
memory/1448-56-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/1752-57-0x0000000000000000-mapping.dmp
-
memory/1932-59-0x0000000000000000-mapping.dmp