Analysis
-
max time kernel
158s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 16:19
Static task
static1
Behavioral task
behavioral1
Sample
e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe
Resource
win7-20221111-en
General
-
Target
e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe
-
Size
100KB
-
MD5
da54fb33318eba3300335a5f5c347b71
-
SHA1
ad5aefe73b42c026ad64c6ba6336433271fc0c05
-
SHA256
e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2
-
SHA512
65064defbba0d1e9f1cce1319cb6da4d1878bac3c11f4be1bfe693fdcbebfe3377726803df74276dd4744a3a56a2234db583bf871ccaaeefc3bb84bcaf1f802f
-
SSDEEP
1536:7eGnZCYbMtsMxBxVxxo19p0elScbF1/omRd:CXsM3xBxEYelS6F1/oAd
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4488 takeown.exe 3236 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4488 takeown.exe 3236 icacls.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4488 takeown.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.execmd.execmd.exedescription pid process target process PID 2868 wrote to memory of 4844 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4844 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4844 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4796 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4796 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4796 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4864 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4864 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4864 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 4864 wrote to memory of 4904 4864 cmd.exe attrib.exe PID 4864 wrote to memory of 4904 4864 cmd.exe attrib.exe PID 4864 wrote to memory of 4904 4864 cmd.exe attrib.exe PID 2868 wrote to memory of 860 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 860 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 860 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1244 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1244 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1244 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4436 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4436 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 4436 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1776 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1776 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1776 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 3616 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 3616 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 3616 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 2368 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 2368 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 2368 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1304 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1304 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 1304 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 2848 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 2848 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 2848 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 3848 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 3848 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 3848 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 216 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 216 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 2868 wrote to memory of 216 2868 e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe cmd.exe PID 216 wrote to memory of 4488 216 cmd.exe takeown.exe PID 216 wrote to memory of 4488 216 cmd.exe takeown.exe PID 216 wrote to memory of 4488 216 cmd.exe takeown.exe PID 216 wrote to memory of 3236 216 cmd.exe icacls.exe PID 216 wrote to memory of 3236 216 cmd.exe icacls.exe PID 216 wrote to memory of 3236 216 cmd.exe icacls.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe"C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\Users\Admin\AppData\Local\Temp\ytmp3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat "C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32 /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant users:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp29355.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp29355.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.batFilesize
308B
MD593101812a2c956dcb0326f53f265ded8
SHA149c0845fcfafffba8940de5acf0ff6053bafd8ce
SHA25684436259cf3f16e736f4868fdcdda8d2663ff06f74b1449dbc1619ae2ccf391f
SHA5122fa6b7145728d0578f7d317d5fe6ff8107d347bc691e190dc30bdefce32442b367e7f4d37ee9e0cc2574dbc8d65eae7c397233555be4f82ad9b4a4720a304047
-
memory/216-145-0x0000000000000000-mapping.dmp
-
memory/860-136-0x0000000000000000-mapping.dmp
-
memory/1244-137-0x0000000000000000-mapping.dmp
-
memory/1304-142-0x0000000000000000-mapping.dmp
-
memory/1776-139-0x0000000000000000-mapping.dmp
-
memory/2368-141-0x0000000000000000-mapping.dmp
-
memory/2848-143-0x0000000000000000-mapping.dmp
-
memory/3236-148-0x0000000000000000-mapping.dmp
-
memory/3616-140-0x0000000000000000-mapping.dmp
-
memory/3848-144-0x0000000000000000-mapping.dmp
-
memory/4436-138-0x0000000000000000-mapping.dmp
-
memory/4488-147-0x0000000000000000-mapping.dmp
-
memory/4796-133-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000000000000-mapping.dmp
-
memory/4864-134-0x0000000000000000-mapping.dmp
-
memory/4904-135-0x0000000000000000-mapping.dmp