e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2

General

Target

e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe
Size

100KB
MD5

da54fb33318eba3300335a5f5c347b71
SHA1

ad5aefe73b42c026ad64c6ba6336433271fc0c05
SHA256

e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2
SHA512

65064defbba0d1e9f1cce1319cb6da4d1878bac3c11f4be1bfe693fdcbebfe3377726803df74276dd4744a3a56a2234db583bf871ccaaeefc3bb84bcaf1f802f
SSDEEP

1536:7eGnZCYbMtsMxBxVxxo19p0elScbF1/omRd:CXsM3xBxEYelS6F1/oAd

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4488 takeown.exe
3236 icacls.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4488 takeown.exe
3236 icacls.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 4488 takeown.exe

pid	process
4488	takeown.exe
3236	icacls.exe

pid	process
4488	takeown.exe
3236	icacls.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4488	takeown.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.execmd.execmd.exe

description	pid	process	target process
PID 2868 wrote to memory of 4844	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4844	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4844	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4796	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4796	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4796	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4864	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4864	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4864	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 4864 wrote to memory of 4904	4864	cmd.exe	attrib.exe
PID 4864 wrote to memory of 4904	4864	cmd.exe	attrib.exe
PID 4864 wrote to memory of 4904	4864	cmd.exe	attrib.exe
PID 2868 wrote to memory of 860	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 860	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 860	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1244	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1244	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1244	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4436	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4436	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 4436	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1776	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1776	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1776	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 3616	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 3616	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 3616	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 2368	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 2368	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 2368	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1304	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1304	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 1304	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 2848	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 2848	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 2848	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 3848	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 3848	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 3848	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 216	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 216	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 2868 wrote to memory of 216	2868	e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe	cmd.exe
PID 216 wrote to memory of 4488	216	cmd.exe	takeown.exe
PID 216 wrote to memory of 4488	216	cmd.exe	takeown.exe
PID 216 wrote to memory of 4488	216	cmd.exe	takeown.exe
PID 216 wrote to memory of 3236	216	cmd.exe	icacls.exe
PID 216 wrote to memory of 3236	216	cmd.exe	icacls.exe
PID 216 wrote to memory of 3236	216	cmd.exe	icacls.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4904 attrib.exe

pid	process
4904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe
"C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
2⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\ytmp" mkdir "C:\Users\Admin\AppData\Local\Temp\ytmp"
2⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
2⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
3⤵
- Views/modifies file attributes
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat "C:\Users\Admin\AppData\Local\Temp\e21624136e34bf65c1332cbf725f2e780cedc1bd00aa721b91d28f7fd86dc1c2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32 /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant users:F /T
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp29355.exe" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp29355.exe"
2⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat" del "C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat"
2⤵
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ytmp\tmp54055.bat
Filesize
308B

MD5
93101812a2c956dcb0326f53f265ded8

SHA1
49c0845fcfafffba8940de5acf0ff6053bafd8ce

SHA256
84436259cf3f16e736f4868fdcdda8d2663ff06f74b1449dbc1619ae2ccf391f

SHA512
2fa6b7145728d0578f7d317d5fe6ff8107d347bc691e190dc30bdefce32442b367e7f4d37ee9e0cc2574dbc8d65eae7c397233555be4f82ad9b4a4720a304047

Download Submit
memory/216-145-0x0000000000000000-mapping.dmp

Download
memory/860-136-0x0000000000000000-mapping.dmp

Download
memory/1244-137-0x0000000000000000-mapping.dmp

Download
memory/1304-142-0x0000000000000000-mapping.dmp

Download
memory/1776-139-0x0000000000000000-mapping.dmp

Download
memory/2368-141-0x0000000000000000-mapping.dmp

Download
memory/2848-143-0x0000000000000000-mapping.dmp

Download
memory/3236-148-0x0000000000000000-mapping.dmp

Download
memory/3616-140-0x0000000000000000-mapping.dmp

Download
memory/3848-144-0x0000000000000000-mapping.dmp

Download
memory/4436-138-0x0000000000000000-mapping.dmp

Download
memory/4488-147-0x0000000000000000-mapping.dmp

Download
memory/4796-133-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4864-134-0x0000000000000000-mapping.dmp

Download
memory/4904-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing