Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-03-2024 00:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afd2aca2c6d426ad714dca52527dcb09.exe
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
afd2aca2c6d426ad714dca52527dcb09.exe
-
Size
554KB
-
MD5
afd2aca2c6d426ad714dca52527dcb09
-
SHA1
72f224a10a99e902d48373d9fb7f4d0b5769d284
-
SHA256
c97e6797f54fb75a3c1990a03f0109fa63b8ad1c1787b99dba67d52700d962d9
-
SHA512
f49ee12bc1b54124f9cb29d51c5b5b442b1acf534f83e98773d242123764288524814a972a6e6cec5252a3247a9ec94dc168bf981c8819fd01690f9215fdf52f
-
SSDEEP
12288:6iC8pj4OFb7oj9yzCMoHrq4otmCihgawMdXrmRi/0iC8pj4z:6i1EOV7e9Xxm4S1ihPxrKi1Ez
Malware Config
Signatures
-
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2768 takeown.exe 2540 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 2540 icacls.exe 2768 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2768 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
afd2aca2c6d426ad714dca52527dcb09.execmd.exedescription pid process target process PID 2472 wrote to memory of 2932 2472 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 2472 wrote to memory of 2932 2472 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 2472 wrote to memory of 2932 2472 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 2472 wrote to memory of 2932 2472 afd2aca2c6d426ad714dca52527dcb09.exe cmd.exe PID 2932 wrote to memory of 2768 2932 cmd.exe takeown.exe PID 2932 wrote to memory of 2768 2932 cmd.exe takeown.exe PID 2932 wrote to memory of 2768 2932 cmd.exe takeown.exe PID 2932 wrote to memory of 2768 2932 cmd.exe takeown.exe PID 2932 wrote to memory of 2540 2932 cmd.exe icacls.exe PID 2932 wrote to memory of 2540 2932 cmd.exe icacls.exe PID 2932 wrote to memory of 2540 2932 cmd.exe icacls.exe PID 2932 wrote to memory of 2540 2932 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afd2aca2c6d426ad714dca52527dcb09.exe"C:\Users\Admin\AppData\Local\Temp\afd2aca2c6d426ad714dca52527dcb09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2540
-
-