9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851

General

Target

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe
Size

40KB
MD5

1fc4f7c736f8b793657c5c9f368cfdd0
SHA1

bc39639ad5c168d324e0a097310e554e911c6fc6
SHA256

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851
SHA512

c73bd079ac5104c0596f2f5e5fda0851a79288beb8e2b6d795451a1dfb935ab797b6c1068bf41a6eab097dd9d1c90b0a1c61ff77c9f738b1c15b8bb591243ba2
SSDEEP

768:/+3ruMn9xB/9ZaY5z0YtI6je50Gg0I3wqgNchNk:/+3zLBX/5FI6je50Gg0Ifg2zk

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

1660 icacls.exe
584 takeown.exe
1448 icacls.exe
1408 takeown.exe
1496 icacls.exe
1712 takeown.exe
1156 icacls.exe
1064 takeown.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

584 takeown.exe
1448 icacls.exe
1408 takeown.exe
1496 icacls.exe
1712 takeown.exe
1156 icacls.exe
1064 takeown.exe
1660 icacls.exe

pid	process
1660	icacls.exe
584	takeown.exe
1448	icacls.exe
1408	takeown.exe
1496	icacls.exe
1712	takeown.exe
1156	icacls.exe
1064	takeown.exe

pid	process
584	takeown.exe
1448	icacls.exe
1408	takeown.exe
1496	icacls.exe
1712	takeown.exe
1156	icacls.exe
1064	takeown.exe
1660	icacls.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1712	takeown.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe
Token: SeTakeOwnershipPrivilege	1064	takeown.exe
Token: SeTakeOwnershipPrivilege	1408	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

pid process

624 9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

pid	process
624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

description	pid	process	target process
PID 624 wrote to memory of 1712	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1712	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1712	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1712	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1156	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1156	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1156	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1156	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1064	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1064	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1064	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1064	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1660	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1660	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1660	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1660	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 584	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 584	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 584	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 584	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1448	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1448	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1448	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1448	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1408	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1408	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1408	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1408	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 624 wrote to memory of 1496	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1496	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1496	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 624 wrote to memory of 1496	624	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe
"C:\Users\Admin\AppData\Local\Temp\9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1156

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1448

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1496

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-60-0x0000000000000000-mapping.dmp

Download
memory/1064-58-0x0000000000000000-mapping.dmp

Download
memory/1156-57-0x0000000000000000-mapping.dmp

Download
memory/1408-62-0x0000000000000000-mapping.dmp

Download
memory/1448-61-0x0000000000000000-mapping.dmp

Download
memory/1496-63-0x0000000000000000-mapping.dmp

Download
memory/1660-59-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing