Analysis
-
max time kernel
19s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 16:59
Static task
static1
Behavioral task
behavioral1
Sample
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe
Resource
win7-20221111-en
General
-
Target
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe
-
Size
134KB
-
MD5
cf174472200c2c0205782d352735b594
-
SHA1
1e462e8c90aaec05f6dfbb3d91e5b8e5fd610517
-
SHA256
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9
-
SHA512
3293c8eb7d5515e100c17febebab81065f474d82b314e1cdc0e65d3a4aea789ecf412ca0807e5a2ba518593697bfe1547553133696c8c7c1a21662a31a4be3c8
-
SSDEEP
3072:kV3J6kkt5h1X+HqTi0BW69hd1MMdxPe9N9uA0/+hL9TBfnPLipC+r:Jt5hBPi0BW69hd1MMdxPe9N9uA069TBc
Malware Config
Signatures
-
Possible privilege escalation attempt 20 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 1076 takeown.exe 284 takeown.exe 1876 icacls.exe 844 icacls.exe 872 icacls.exe 1072 takeown.exe 704 icacls.exe 1696 icacls.exe 1400 icacls.exe 1260 takeown.exe 1708 takeown.exe 1972 icacls.exe 1924 icacls.exe 1292 icacls.exe 692 takeown.exe 1444 takeown.exe 1576 takeown.exe 932 icacls.exe 1488 takeown.exe 1968 takeown.exe -
Modifies file permissions 1 TTPs 20 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 1292 icacls.exe 932 icacls.exe 704 icacls.exe 1260 takeown.exe 844 icacls.exe 1708 takeown.exe 872 icacls.exe 1924 icacls.exe 1876 icacls.exe 1972 icacls.exe 284 takeown.exe 1488 takeown.exe 1076 takeown.exe 1072 takeown.exe 1968 takeown.exe 692 takeown.exe 1444 takeown.exe 1576 takeown.exe 1696 icacls.exe 1400 icacls.exe -
Drops file in Windows directory 11 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\Boot\DVD\EFI\en-US\efisys.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\fr-FR\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\it-IT\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\BCD cmd.exe File opened for modification C:\Windows\Boot\DVD\EFI\boot.sdi cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\BCD cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\de-DE\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\es-ES\bootfix.bin cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\etfsboot.com cmd.exe File opened for modification C:\Windows\Boot\DVD\PCAT\ja-JP\bootfix.bin cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1076 takeown.exe Token: SeTakeOwnershipPrivilege 1444 takeown.exe Token: SeTakeOwnershipPrivilege 284 takeown.exe Token: SeTakeOwnershipPrivilege 1072 takeown.exe Token: SeTakeOwnershipPrivilege 1576 takeown.exe Token: SeTakeOwnershipPrivilege 1488 takeown.exe Token: SeTakeOwnershipPrivilege 1968 takeown.exe Token: SeTakeOwnershipPrivilege 692 takeown.exe Token: SeTakeOwnershipPrivilege 1260 takeown.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.execmd.exedescription pid process target process PID 972 wrote to memory of 280 972 c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe cmd.exe PID 972 wrote to memory of 280 972 c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe cmd.exe PID 972 wrote to memory of 280 972 c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe cmd.exe PID 280 wrote to memory of 1076 280 cmd.exe takeown.exe PID 280 wrote to memory of 1076 280 cmd.exe takeown.exe PID 280 wrote to memory of 1076 280 cmd.exe takeown.exe PID 280 wrote to memory of 844 280 cmd.exe icacls.exe PID 280 wrote to memory of 844 280 cmd.exe icacls.exe PID 280 wrote to memory of 844 280 cmd.exe icacls.exe PID 280 wrote to memory of 1708 280 cmd.exe takeown.exe PID 280 wrote to memory of 1708 280 cmd.exe takeown.exe PID 280 wrote to memory of 1708 280 cmd.exe takeown.exe PID 280 wrote to memory of 872 280 cmd.exe icacls.exe PID 280 wrote to memory of 872 280 cmd.exe icacls.exe PID 280 wrote to memory of 872 280 cmd.exe icacls.exe PID 280 wrote to memory of 1444 280 cmd.exe takeown.exe PID 280 wrote to memory of 1444 280 cmd.exe takeown.exe PID 280 wrote to memory of 1444 280 cmd.exe takeown.exe PID 280 wrote to memory of 1972 280 cmd.exe icacls.exe PID 280 wrote to memory of 1972 280 cmd.exe icacls.exe PID 280 wrote to memory of 1972 280 cmd.exe icacls.exe PID 280 wrote to memory of 284 280 cmd.exe takeown.exe PID 280 wrote to memory of 284 280 cmd.exe takeown.exe PID 280 wrote to memory of 284 280 cmd.exe takeown.exe PID 280 wrote to memory of 1924 280 cmd.exe icacls.exe PID 280 wrote to memory of 1924 280 cmd.exe icacls.exe PID 280 wrote to memory of 1924 280 cmd.exe icacls.exe PID 280 wrote to memory of 1072 280 cmd.exe takeown.exe PID 280 wrote to memory of 1072 280 cmd.exe takeown.exe PID 280 wrote to memory of 1072 280 cmd.exe takeown.exe PID 280 wrote to memory of 1292 280 cmd.exe icacls.exe PID 280 wrote to memory of 1292 280 cmd.exe icacls.exe PID 280 wrote to memory of 1292 280 cmd.exe icacls.exe PID 280 wrote to memory of 1576 280 cmd.exe takeown.exe PID 280 wrote to memory of 1576 280 cmd.exe takeown.exe PID 280 wrote to memory of 1576 280 cmd.exe takeown.exe PID 280 wrote to memory of 932 280 cmd.exe icacls.exe PID 280 wrote to memory of 932 280 cmd.exe icacls.exe PID 280 wrote to memory of 932 280 cmd.exe icacls.exe PID 280 wrote to memory of 1488 280 cmd.exe takeown.exe PID 280 wrote to memory of 1488 280 cmd.exe takeown.exe PID 280 wrote to memory of 1488 280 cmd.exe takeown.exe PID 280 wrote to memory of 704 280 cmd.exe icacls.exe PID 280 wrote to memory of 704 280 cmd.exe icacls.exe PID 280 wrote to memory of 704 280 cmd.exe icacls.exe PID 280 wrote to memory of 1968 280 cmd.exe takeown.exe PID 280 wrote to memory of 1968 280 cmd.exe takeown.exe PID 280 wrote to memory of 1968 280 cmd.exe takeown.exe PID 280 wrote to memory of 1696 280 cmd.exe icacls.exe PID 280 wrote to memory of 1696 280 cmd.exe icacls.exe PID 280 wrote to memory of 1696 280 cmd.exe icacls.exe PID 280 wrote to memory of 692 280 cmd.exe takeown.exe PID 280 wrote to memory of 692 280 cmd.exe takeown.exe PID 280 wrote to memory of 692 280 cmd.exe takeown.exe PID 280 wrote to memory of 1400 280 cmd.exe icacls.exe PID 280 wrote to memory of 1400 280 cmd.exe icacls.exe PID 280 wrote to memory of 1400 280 cmd.exe icacls.exe PID 280 wrote to memory of 1260 280 cmd.exe takeown.exe PID 280 wrote to memory of 1260 280 cmd.exe takeown.exe PID 280 wrote to memory of 1260 280 cmd.exe takeown.exe PID 280 wrote to memory of 1876 280 cmd.exe icacls.exe PID 280 wrote to memory of 1876 280 cmd.exe icacls.exe PID 280 wrote to memory of 1876 280 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3535.tmp\3536.tmp\3537.bat C:\Users\Admin\AppData\Local\Temp\c6b655a26540651f5f6d9e4c125c2d092a05c3f3de517d15c55025092a307ea9.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntoskrnl.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntoskrnl.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -r -f -skipsl "C:\Windows\Boot"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\Boot" /t /c /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\bfsvc.exe"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\bfsvc.exe" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\kernel32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\kernel32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\advapi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\advapi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\user32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\user32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\gdi32.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\gdi32.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\win32k.sys"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\win32k.sys" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\ntdll.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\ntdll.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown -f "C:\Windows\System32\hall.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeICACLS "C:\Windows\System32\hal.dll" /grant "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3535.tmp\3536.tmp\3537.batFilesize
1KB
MD5e666a33a40b3660f6f1ac5ce390d856a
SHA19ae70be123a8a7837c314030c06202ee61cbf52e
SHA2568c50b2f52383a41d0186436281f4f804144ef1dcd12dd638840e32d4cc2c6488
SHA51269c59de096b6ebc30629b8d63a8fab1870e3a466c8d36edd31384ed6f0c19e50b17ed56b9779960513a2da2a9dedde4d27e755bb084499220fda719dfb74be5d
-
memory/280-55-0x0000000000000000-mapping.dmp
-
memory/284-63-0x0000000000000000-mapping.dmp
-
memory/692-73-0x0000000000000000-mapping.dmp
-
memory/704-70-0x0000000000000000-mapping.dmp
-
memory/844-58-0x0000000000000000-mapping.dmp
-
memory/872-60-0x0000000000000000-mapping.dmp
-
memory/932-68-0x0000000000000000-mapping.dmp
-
memory/972-54-0x000007FEFB971000-0x000007FEFB973000-memory.dmpFilesize
8KB
-
memory/1072-65-0x0000000000000000-mapping.dmp
-
memory/1076-57-0x0000000000000000-mapping.dmp
-
memory/1260-75-0x0000000000000000-mapping.dmp
-
memory/1292-66-0x0000000000000000-mapping.dmp
-
memory/1400-74-0x0000000000000000-mapping.dmp
-
memory/1444-61-0x0000000000000000-mapping.dmp
-
memory/1488-69-0x0000000000000000-mapping.dmp
-
memory/1576-67-0x0000000000000000-mapping.dmp
-
memory/1696-72-0x0000000000000000-mapping.dmp
-
memory/1708-59-0x0000000000000000-mapping.dmp
-
memory/1876-76-0x0000000000000000-mapping.dmp
-
memory/1924-64-0x0000000000000000-mapping.dmp
-
memory/1968-71-0x0000000000000000-mapping.dmp
-
memory/1972-62-0x0000000000000000-mapping.dmp