5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be

Analysis

max time kernel
82s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
Size

27KB
MD5

20500268557f9ad6dafc78e6a11ad230
SHA1

c282226d5324456d84e66664993a6409f1930048
SHA256

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be
SHA512

96b7f139ab27af90765865a8c887eed6ea0302cdeede05b44d394bcbc40f2d8025f40e3036ce718a1656c20e3adef6962dd4e5970cf29f755716e0b5b627dee2
SSDEEP

768:p+Aj5O+/Zh7oI6LDg02e9pzitFrswMJSLLb4M:TOEqIWgzeP+FyJab4M

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4744 takeown.exe
2504 icacls.exe

pid	process
4744	takeown.exe
2504	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1316-132-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/1316-136-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4744 takeown.exe
2504 icacls.exe

pid	process
4744	takeown.exe
2504	icacls.exe

Drops file in System32 directory 4 IoCs

Processes:

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ole.dll	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
File created	C:\Windows\SysWOW64\imm32.dll.log	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll.log	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
File created	C:\Windows\SysWOW64\imm32.dll	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

pid	process
1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
Token: SeTakeOwnershipPrivilege	4744	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

pid	process
1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe

description	pid	process	target process
PID 1316 wrote to memory of 4744	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	takeown.exe
PID 1316 wrote to memory of 4744	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	takeown.exe
PID 1316 wrote to memory of 4744	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	takeown.exe
PID 1316 wrote to memory of 2504	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	icacls.exe
PID 1316 wrote to memory of 2504	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	icacls.exe
PID 1316 wrote to memory of 2504	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	icacls.exe
PID 1316 wrote to memory of 2452	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	cmd.exe
PID 1316 wrote to memory of 2452	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	cmd.exe
PID 1316 wrote to memory of 2452	1316	5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe
"C:\Users\Admin\AppData\Local\Temp\5279d8bf11898ff921d0ec471995dea733311fc5ab6e8c77a77512599934e7be.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\imm32.dll
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\imm32.dll /grant administrators:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\dele56beff.bat
2⤵
PID:2452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\dele56beff.bat

Filesize
271B

MD5
85c8f16f5c7a6bef3437e4e88e83e162

SHA1
238447c7673543efea6d43a3c5879321f560e877

SHA256
9a97d7673025a05173b0c3b08f4770aa0f57cd7e0575316d465652338c362c60

SHA512
1b3e618b41eda30c65c9f42de8656021aba43e9f05acd9e3f16707e85d232226b6a87594dffee802cb1f61225e949eb37f652578f37980a348203edbc0c8e6fc

Download Submit
memory/1316-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1316-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2452-135-0x0000000000000000-mapping.dmp

Download
memory/2504-134-0x0000000000000000-mapping.dmp

Download
memory/4744-133-0x0000000000000000-mapping.dmp

Download