7da47ddb19271531d7b8087062df3761fca6810467c2d9e780d32960c848d2b7

Analysis

max time kernel
124s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe
Size

40KB
MD5

2c287573e77ec0ae4dc8f416b9a9b0e0
SHA1

9fea124a8cd51d65be94a75935db8d494d3b43df
SHA256

7da47ddb19271531d7b8087062df3761fca6810467c2d9e780d32960c848d2b7
SHA512

a742f48dd9a0691409da870f9eade4809a3953acee8a1a4f260e8a8a5b3e8ba42dd856388ee3735fb250ee2cb7cc6769ae9484aa68cf9e46bffa1f6ec3eeceb3
SSDEEP

768:/dreP2xziBJEobflAa8soTbOi23jg5tpLGZpoAoioBFohHU+GNH:/dremikoDSbbH23jg5tpLkw+qH

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
4164	takeown.exe
3516	icacls.exe
4336	icacls.exe
1444	takeown.exe
4672	takeown.exe
2852	icacls.exe
4796	icacls.exe
3084	takeown.exe

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4164	takeown.exe
3516	icacls.exe
4336	icacls.exe
1444	takeown.exe
4672	takeown.exe
2852	icacls.exe
4796	icacls.exe
3084	takeown.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4672	takeown.exe
Token: SeTakeOwnershipPrivilege	4164	takeown.exe
Token: SeTakeOwnershipPrivilege	3084	takeown.exe
Token: SeTakeOwnershipPrivilege	1444	takeown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 4164	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	84
PID 3116 wrote to memory of 4164	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	84
PID 3116 wrote to memory of 4164	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	84
PID 3116 wrote to memory of 3516	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	85
PID 3116 wrote to memory of 3516	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	85
PID 3116 wrote to memory of 3516	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	85
PID 3116 wrote to memory of 4672	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	88
PID 3116 wrote to memory of 4672	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	88
PID 3116 wrote to memory of 4672	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	88
PID 3116 wrote to memory of 4336	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	86
PID 3116 wrote to memory of 4336	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	86
PID 3116 wrote to memory of 4336	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	86
PID 3116 wrote to memory of 1444	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	87
PID 3116 wrote to memory of 1444	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	87
PID 3116 wrote to memory of 1444	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	87
PID 3116 wrote to memory of 2852	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	89
PID 3116 wrote to memory of 2852	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	89
PID 3116 wrote to memory of 2852	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	89
PID 3116 wrote to memory of 3084	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	99
PID 3116 wrote to memory of 3084	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	99
PID 3116 wrote to memory of 3084	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	99
PID 3116 wrote to memory of 4796	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	97
PID 3116 wrote to memory of 4796	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	97
PID 3116 wrote to memory of 4796	3116	NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2c287573e77ec0ae4dc8f416b9a9b0e0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cmd.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\cmd.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3516
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\ftp.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4336
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\wscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\ftp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\wscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2852
- C:\Windows\SysWOW64\icacls.exe
  C:\Windows\System32\icacls.exe "C:\Windows\System32\cscript.exe" /grant Users:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4796
- C:\Windows\SysWOW64\takeown.exe
  C:\Windows\System32\takeown.exe /f "C:\Windows\System32\cscript.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads