9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851

General

Target

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe
Size

40KB
MD5

1fc4f7c736f8b793657c5c9f368cfdd0
SHA1

bc39639ad5c168d324e0a097310e554e911c6fc6
SHA256

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851
SHA512

c73bd079ac5104c0596f2f5e5fda0851a79288beb8e2b6d795451a1dfb935ab797b6c1068bf41a6eab097dd9d1c90b0a1c61ff77c9f738b1c15b8bb591243ba2
SSDEEP

768:/+3ruMn9xB/9ZaY5z0YtI6je50Gg0I3wqgNchNk:/+3zLBX/5FI6je50Gg0Ifg2zk

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

1540 takeown.exe
3004 icacls.exe
3164 takeown.exe
3544 icacls.exe
3984 takeown.exe
4548 icacls.exe
1048 takeown.exe
3148 icacls.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

3164 takeown.exe
3544 icacls.exe
3984 takeown.exe
4548 icacls.exe
1048 takeown.exe
3148 icacls.exe
1540 takeown.exe
3004 icacls.exe

pid	process
1540	takeown.exe
3004	icacls.exe
3164	takeown.exe
3544	icacls.exe
3984	takeown.exe
4548	icacls.exe
1048	takeown.exe
3148	icacls.exe

pid	process
3164	takeown.exe
3544	icacls.exe
3984	takeown.exe
4548	icacls.exe
1048	takeown.exe
3148	icacls.exe
1540	takeown.exe
3004	icacls.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1540	takeown.exe
Token: SeTakeOwnershipPrivilege	3984	takeown.exe
Token: SeTakeOwnershipPrivilege	1048	takeown.exe
Token: SeTakeOwnershipPrivilege	3164	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

pid process

3708 9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

pid	process
3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe

description	pid	process	target process
PID 3708 wrote to memory of 1048	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 1048	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 1048	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3148	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3148	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3148	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 1540	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 1540	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 1540	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 4548	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 4548	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 4548	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3984	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3984	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3984	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3004	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3004	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3004	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3164	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3164	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3164	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	takeown.exe
PID 3708 wrote to memory of 3544	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3544	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe
PID 3708 wrote to memory of 3544	3708	9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe
"C:\Users\Admin\AppData\Local\Temp\9111164d4687ab96e7a9cb79ee9620a825403827531e3f045fe9728d08759851.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cmd.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\ftp.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3004

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3544

C:\Windows\SysWOW64\takeown.exe
C:\Windows\System32\takeown.exe /f "C:\Windows\System32\wscript.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\SysWOW64\icacls.exe
C:\Windows\System32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-135-0x0000000000000000-mapping.dmp

Download
memory/1540-137-0x0000000000000000-mapping.dmp

Download
memory/3004-140-0x0000000000000000-mapping.dmp

Download
memory/3148-136-0x0000000000000000-mapping.dmp

Download
memory/3164-141-0x0000000000000000-mapping.dmp

Download
memory/3544-142-0x0000000000000000-mapping.dmp

Download
memory/3984-139-0x0000000000000000-mapping.dmp

Download
memory/4548-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing