0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
Size

223KB
MD5

c3884fdb01c5772eabc515a30513e556
SHA1

213ad80a218ba9d98948710ff0b119dcbca70d0f
SHA256

0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224
SHA512

a4b9b4b8b4757e7aa45ab978a0daeaef6ae4f3fc98a242edda6a67312d564f268f8cba5506e3270ac5c3f6145243d44989f31c90a0358a006a3f96ca04481733
SSDEEP

3072:qZ7wXfSRZ0ON/EwW66wN94xu4CkAZJM2k5D66L+NfGbVON2Nqi/6gS5UoWXHz72n:mwPSUONLNsuWA7koN+boRi9S6oiz72D

Score

10^/10

discovery upx vmprotect

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 672 created 624	672	Explorer.EXE	4

Drops file in Drivers directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\0dCkr2vHpnTGc.cdq	takeown.exe
File created	C:\Windows\System32\drivers\omzCeM.sys	takeown.exe
File opened for modification	C:\Windows\system32\drivers\xBEX3JlaRte2t.sys	takeown.exe
File opened for modification	C:\Windows\system32\drivers\Y9bChlspnw.sys	takeown.exe
File opened for modification	C:\Windows\system32\drivers\HO4ygfWhMos.pky	takeown.exe
File opened for modification	C:\Windows\system32\drivers\B0HSQXhlYDoD3.sys	takeown.exe
File opened for modification	C:\Windows\system32\drivers\33EPASI9GDXO.juk	takeown.exe
File opened for modification	C:\Windows\system32\drivers\8ntdUb1a4TU.sys	takeown.exe
File opened for modification	C:\Windows\system32\drivers\6feWSaQAiycv.sam	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe

Executes dropped EXE 1 IoCs

pid	Process
4768	takeown.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4768	takeown.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2500-0-0x00000000001F0000-0x000000000025E000-memory.dmp	upx
behavioral2/memory/2500-24-0x00000000001F0000-0x000000000025E000-memory.dmp	upx
behavioral2/memory/2500-47-0x00000000001F0000-0x000000000025E000-memory.dmp	upx
behavioral2/memory/2500-52-0x00000000001F0000-0x000000000025E000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000b000000022e16-96.dat	vmprotect
behavioral2/files/0x0019000000022e16-155.dat	vmprotect
behavioral2/files/0x0027000000022e16-211.dat	vmprotect
behavioral2/files/0x0035000000022e16-267.dat	vmprotect

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	takeown.exe
File opened for modification	C:\Windows\system32\3ImAGvk7OvZa.sys	takeown.exe
File opened for modification	C:\Windows\system32\Duafi9plwin.kfc	takeown.exe
File opened for modification	C:\Windows\system32\ag3geEOCeZ.sys	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046	takeown.exe
File created	C:\Windows\system32\ \Windows\System32\Bb6C4hkYE.sys	takeown.exe
File opened for modification	C:\Windows\system32\bnDUxYxjolaidU.sys	takeown.exe
File opened for modification	C:\Windows\system32\Jb6XzPYrzJkn.xsy	takeown.exe
File opened for modification	C:\Windows\system32\Tc1FMre9KxZrW.sys	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	takeown.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	takeown.exe
File opened for modification	C:\Windows\system32\mbZvq0JxD2L5p.jci	takeown.exe
File opened for modification	C:\Windows\system32\qxhaLam01O.ogl	takeown.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\89hZ0W0Hmb8gd3.sys	takeown.exe
File opened for modification	C:\Program Files\mr4LBqGLW3KCk.bqg	takeown.exe
File opened for modification	C:\Program Files (x86)\sAa8SvvVyLeO.sys	takeown.exe
File opened for modification	C:\Program Files\Reference Assemblies\47b7f22c.html	Explorer.EXE
File opened for modification	C:\Program Files\Reference Assemblies\560fef68.js	Explorer.EXE
File opened for modification	C:\Program Files\Windows Sidebar\47b7e55c.html	takeown.exe
File opened for modification	C:\Program Files\Windows Sidebar\560fe008.js	takeown.exe
File opened for modification	C:\Program Files\Za0BqAJU34xmD.cma	takeown.exe
File opened for modification	C:\Program Files\nMkF3ede2mTkJu.sys	takeown.exe
File opened for modification	C:\Program Files\Windows Sidebar\manifest.json	takeown.exe
File opened for modification	C:\Program Files\Windows Sidebar\395feab0.js	takeown.exe
File opened for modification	C:\Program Files\Reference Assemblies\395ff4f0.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\tkEutHjtcNMzcg.sys	takeown.exe
File opened for modification	C:\Program Files (x86)\zEP2dBCdjks.azz	takeown.exe
File opened for modification	C:\Program Files\23KciFVzSkxDwt.sys	takeown.exe
File opened for modification	C:\Program Files\OpmVdaQEvflrd.sys	takeown.exe
File opened for modification	C:\Program Files\Windows Sidebar\lib\6467dab4.js	takeown.exe
File opened for modification	C:\Program Files\Reference Assemblies\lib\6467eca4.js	Explorer.EXE
File opened for modification	C:\Program Files (x86)\sHy187wI7etUG8.ykv	takeown.exe
File opened for modification	C:\Program Files\KQCNe5Fpfb3.gys	takeown.exe
File opened for modification	C:\Program Files (x86)\kmeWmuSyP3g.sys	takeown.exe
File opened for modification	C:\Program Files\EQuRFSHwi5u.uhl	takeown.exe
File opened for modification	C:\Program Files\Reference Assemblies\manifest.json	Explorer.EXE
File opened for modification	C:\Program Files (x86)\UlhL9DCY5XZA.bdt	takeown.exe
File opened for modification	C:\Program Files (x86)\3Qfxone521.sys	takeown.exe
File opened for modification	C:\Program Files (x86)\q4jI8G5VqEjyd.jfp	takeown.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\5mnSLo0DLb4oiQ.uyc	takeown.exe
File opened for modification	C:\Windows\ErmHHSAjeE.sys	takeown.exe
File opened for modification	C:\Windows\rnKP30c8MNrp.oku	takeown.exe
File opened for modification	C:\Windows\XKp9iL3g5M.sys	takeown.exe
File opened for modification	C:\Windows\AIkiCy8Ndpht.fpn	takeown.exe
File opened for modification	C:\Windows\takeown.exe	Explorer.EXE
File created	C:\Windows\y6YoeKC.sys	takeown.exe
File opened for modification	C:\Windows\DAZCAUthsK6P.sys	takeown.exe
File opened for modification	C:\Windows\nN8g6eIPbrv7b.fre	takeown.exe
File created	C:\Windows\takeown.exe	Explorer.EXE
File opened for modification	C:\Windows\PvK3YFpzih9ftV.sys	takeown.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	takeown.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	takeown.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4064	timeout.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	takeown.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	takeown.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wowreg32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	takeown.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	takeown.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	takeown.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	takeown.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	takeown.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	takeown.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wowreg32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wowreg32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	takeown.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
4768	takeown.exe
4768	takeown.exe
916	wowreg32.exe
916	wowreg32.exe
4768	takeown.exe
4768	takeown.exe
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE
672	Explorer.EXE
4768	takeown.exe
672	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
672	Explorer.EXE

Suspicious behavior: LoadsDriver 59 IoCs

pid	Process
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
Token: SeTcbPrivilege	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
Token: SeDebugPrivilege	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
Token: SeDebugPrivilege	672	Explorer.EXE
Token: SeDebugPrivilege	672	Explorer.EXE
Token: SeDebugPrivilege	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeIncBasePriorityPrivilege	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
Token: SeShutdownPrivilege	672	Explorer.EXE
Token: SeCreatePagefilePrivilege	672	Explorer.EXE
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeBackupPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	4768	takeown.exe
Token: SeDebugPrivilege	672	Explorer.EXE
Token: SeBackupPrivilege	672	Explorer.EXE
Token: SeDebugPrivilege	60	dwm.exe
Token: SeBackupPrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe
Token: SeShutdownPrivilege	60	dwm.exe
Token: SeCreatePagefilePrivilege	60	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
672	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
672	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 672	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	52
PID 2500 wrote to memory of 672	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	52
PID 2500 wrote to memory of 672	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	52
PID 2500 wrote to memory of 672	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	52
PID 2500 wrote to memory of 672	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	52
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 672 wrote to memory of 4768	672	Explorer.EXE	87
PID 2500 wrote to memory of 624	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	4
PID 2500 wrote to memory of 624	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	4
PID 2500 wrote to memory of 624	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	4
PID 2500 wrote to memory of 624	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	4
PID 2500 wrote to memory of 624	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	4
PID 2500 wrote to memory of 3316	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	93
PID 2500 wrote to memory of 3316	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	93
PID 2500 wrote to memory of 3316	2500	0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe	93
PID 3316 wrote to memory of 4064	3316	cmd.exe	95
PID 3316 wrote to memory of 4064	3316	cmd.exe	95
PID 3316 wrote to memory of 4064	3316	cmd.exe	95
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 916	4768	takeown.exe	99
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52
PID 4768 wrote to memory of 672	4768	takeown.exe	52

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- C:\Windows\takeown.exe
  "C:\Windows\takeown.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies file permissions
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\wowreg32.exe
    "C:\Windows\system32\wowreg32.exe"
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:916

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\Temp\0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe
  "C:\Users\Admin\AppData\Local\Temp\0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\0b4d3cfa152d31b3e7676884d442516c9cbc87a07657f652bececa390431c224.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DAZCAUthsK6P.sys

Filesize
415KB

MD5
184b10ef18ba0690bc7b66fe6819c582

SHA1
968a17837766a4058d88bb696b537411e43e34c6

SHA256
0477104e632c66a2445222534aa790fdcfe2ec7aac77010fb70e1b1c19802a51

SHA512
7ab9a1304e3d9aca29ec5b7c65c087351d60fafdb0c9a169112e48fd063bc58dd306975fdf38155284359f4d19c63fbce3c7ee71e4f6dcc6591b4fe0989fc957

Download Submit
C:\Windows\ErmHHSAjeE.sys

Filesize
447KB

MD5
993b2064083f038bc8bbcdf87f73102d

SHA1
622cbca0a9dc7b09b0a6ec1ff0c39d1105b8f9fe

SHA256
d7c75e3ec72cda7c1f586c91785a065b61721b6e0407ef7753b02eca40d19da2

SHA512
507dbb0c7884333b59ce97fbdfe0c472499939e266ef4fa4f22858fab383e1c79afb48447a7a92a2620ba4b01e2252e0bbcfcd669c7dcdeffa3d23cc72853cb2

Download Submit
C:\Windows\PvK3YFpzih9ftV.sys

Filesize
447KB

MD5
d15f5f23df8036bd5089ce8d151b0e0d

SHA1
4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2

SHA256
f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520

SHA512
feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

Download Submit
C:\Windows\XKp9iL3g5M.sys

Filesize
415KB

MD5
64bc1983743c584a9ad09dacf12792e5

SHA1
0f14098f523d21f11129c4df09451413ddff6d61

SHA256
057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5

SHA512
9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

Download Submit
C:\Windows\takeown.exe

Filesize
65KB

MD5
d258a76aa885cbbcae8c720cd1c284a5

SHA1
85a080da6c5a908c4c5973bf429d63b975b85109

SHA256
57b3cfa9993e52866a2fb489edf079bf4f1c78fa7525bdf59affa8f9cb4023f8

SHA512
ffae4a77862dcfa7afc358bfa72183a3de1741215878fbc476c65fb6e4c456b3ceec957e4d7f7a0cf43b2852d5cfe4ae96cb3739c93d63f73f3b6c153cf22d1e

Download Submit
C:\Windows\takeown.exe

Filesize
65KB

MD5
d258a76aa885cbbcae8c720cd1c284a5

SHA1
85a080da6c5a908c4c5973bf429d63b975b85109

SHA256
57b3cfa9993e52866a2fb489edf079bf4f1c78fa7525bdf59affa8f9cb4023f8

SHA512
ffae4a77862dcfa7afc358bfa72183a3de1741215878fbc476c65fb6e4c456b3ceec957e4d7f7a0cf43b2852d5cfe4ae96cb3739c93d63f73f3b6c153cf22d1e

Download Submit
memory/60-329-0x00000127D60B0000-0x00000127D61D2000-memory.dmp

Filesize
1.1MB

Download
memory/60-330-0x00000127D61F0000-0x00000127D61F1000-memory.dmp

Filesize
4KB

Download
memory/60-341-0x00000127D60B0000-0x00000127D61D2000-memory.dmp

Filesize
1.1MB

Download
memory/60-332-0x00000127D6200000-0x00000127D6204000-memory.dmp

Filesize
16KB

Download
memory/624-16-0x000001F568540000-0x000001F568568000-memory.dmp

Filesize
160KB

Download
memory/624-17-0x000001F568680000-0x000001F568681000-memory.dmp

Filesize
4KB

Download
memory/624-66-0x000001F568680000-0x000001F568681000-memory.dmp

Filesize
4KB

Download
memory/672-54-0x0000000009260000-0x0000000009357000-memory.dmp

Filesize
988KB

Download
memory/672-335-0x0000000009660000-0x0000000009664000-memory.dmp

Filesize
16KB

Download
memory/672-1-0x0000000003180000-0x0000000003183000-memory.dmp

Filesize
12KB

Download
memory/672-100-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/672-134-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/672-2-0x0000000003180000-0x0000000003183000-memory.dmp

Filesize
12KB

Download
memory/672-328-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/672-331-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/672-76-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/672-342-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/672-337-0x0000000009530000-0x0000000009652000-memory.dmp

Filesize
1.1MB

Download
memory/672-344-0x0000000009530000-0x0000000009652000-memory.dmp

Filesize
1.1MB

Download
memory/672-338-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/672-321-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/672-320-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/672-310-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/672-325-0x0000000003110000-0x0000000003113000-memory.dmp

Filesize
12KB

Download
memory/672-6-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/672-4-0x0000000009260000-0x0000000009357000-memory.dmp

Filesize
988KB

Download
memory/916-73-0x00000179428A0000-0x0000017942A46000-memory.dmp

Filesize
1.6MB

Download
memory/2500-47-0x00000000001F0000-0x000000000025E000-memory.dmp

Filesize
440KB

Download
memory/2500-24-0x00000000001F0000-0x000000000025E000-memory.dmp

Filesize
440KB

Download
memory/2500-0-0x00000000001F0000-0x000000000025E000-memory.dmp

Filesize
440KB

Download
memory/2500-52-0x00000000001F0000-0x000000000025E000-memory.dmp

Filesize
440KB

Download
memory/4768-53-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-78-0x00000229C3600000-0x00000229C3601000-memory.dmp

Filesize
4KB

Download
memory/4768-80-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-84-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-88-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-77-0x00000229C4D70000-0x00000229C4E92000-memory.dmp

Filesize
1.1MB

Download
memory/4768-72-0x00000229C3100000-0x00000229C3101000-memory.dmp

Filesize
4KB

Download
memory/4768-71-0x00000229C30F0000-0x00000229C30F1000-memory.dmp

Filesize
4KB

Download
memory/4768-144-0x00000229C4D70000-0x00000229C4E92000-memory.dmp

Filesize
1.1MB

Download
memory/4768-70-0x00000229C4890000-0x00000229C4A5A000-memory.dmp

Filesize
1.8MB

Download
memory/4768-68-0x00000229C3600000-0x00000229C3601000-memory.dmp

Filesize
4KB

Download
memory/4768-67-0x00000229C3890000-0x00000229C38BE000-memory.dmp

Filesize
184KB

Download
memory/4768-311-0x00000229C3870000-0x00000229C3871000-memory.dmp

Filesize
4KB

Download
memory/4768-65-0x00000229C3810000-0x00000229C381F000-memory.dmp

Filesize
60KB

Download
memory/4768-64-0x00000229C3610000-0x00000229C36C7000-memory.dmp

Filesize
732KB

Download
memory/4768-63-0x00000229C2880000-0x00000229C2881000-memory.dmp

Filesize
4KB

Download
memory/4768-322-0x00000229C2ED0000-0x00000229C2ED1000-memory.dmp

Filesize
4KB

Download
memory/4768-62-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-60-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-61-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-59-0x00000229C0FD0000-0x00000229C109B000-memory.dmp

Filesize
812KB

Download
memory/4768-58-0x00000229C30F0000-0x00000229C30F1000-memory.dmp

Filesize
4KB

Download
memory/4768-57-0x00000229C30F0000-0x00000229C30F1000-memory.dmp

Filesize
4KB

Download
memory/4768-55-0x00000229C30E0000-0x00000229C30E1000-memory.dmp

Filesize
4KB

Download
memory/4768-336-0x00000229C3870000-0x00000229C3871000-memory.dmp

Filesize
4KB

Download
memory/4768-56-0x00000229C3100000-0x00000229C3101000-memory.dmp

Filesize
4KB

Download
memory/4768-48-0x00000229C2ED0000-0x00000229C2ED2000-memory.dmp

Filesize
8KB

Download
memory/4768-46-0x00007FFECD0B0000-0x00007FFECD0C0000-memory.dmp

Filesize
64KB

Download
memory/4768-339-0x00000229C3870000-0x00000229C3871000-memory.dmp

Filesize
4KB

Download
memory/4768-340-0x00000229C3940000-0x00000229C3941000-memory.dmp

Filesize
4KB

Download
memory/4768-13-0x00007FFECD0B0000-0x00007FFECD0C0000-memory.dmp

Filesize
64KB

Download
memory/4768-12-0x00000229C0FD0000-0x00000229C109B000-memory.dmp

Filesize
812KB

Download
memory/4768-343-0x00000229C2ED0000-0x00000229C2ED1000-memory.dmp

Filesize
4KB

Download
memory/4768-11-0x00000229C0FD0000-0x00000229C109B000-memory.dmp

Filesize
812KB

Download