19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452

General

Target

PO0424024.exe
Size

814KB
MD5

192be7ac2833574aafeeea8e0cd52380
SHA1

264298e6ebda222d48c0185c1ad168c51c0dc133
SHA256

19640f20d067c8ca1ba3e08d34ea493c05b99016c6608dbcbfdf848ca4d60452
SHA512

3301b3f0e8f8f71de13cdf22dee89cfa1a74f6df0e1831018a2bf2725977edbccdb8b4baddb0ec8288a7faafb979a8040ce5bdb9ffababb40a039d2b657edd9f
SSDEEP

24576:1R1WMVUu9FCfSwNZAXJ7oaOJdF+mJ312Zj:H4MVUuviFNZ0E1Jl2t

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2932	takeown.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 3036	2192	PO0424024.exe	28
PID 3036 set thread context of 1232	3036	PO0424024.exe	21
PID 3036 set thread context of 2932	3036	PO0424024.exe	31
PID 2932 set thread context of 1232	2932	takeown.exe	21

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3036	PO0424024.exe
3036	PO0424024.exe
3036	PO0424024.exe
3036	PO0424024.exe
3036	PO0424024.exe
3036	PO0424024.exe
3036	PO0424024.exe
3036	PO0424024.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe
2932	takeown.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3036	PO0424024.exe
1232	Explorer.EXE
1232	Explorer.EXE
2932	takeown.exe
2932	takeown.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 2192 wrote to memory of 3036	2192	PO0424024.exe	28
PID 1232 wrote to memory of 2932	1232	Explorer.EXE	31
PID 1232 wrote to memory of 2932	1232	Explorer.EXE	31
PID 1232 wrote to memory of 2932	1232	Explorer.EXE	31
PID 1232 wrote to memory of 2932	1232	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\PO0424024.exe
  "C:\Users\Admin\AppData\Local\Temp\PO0424024.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\PO0424024.exe
    "C:\Users\Admin\AppData\Local\Temp\PO0424024.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3036
- C:\Windows\SysWOW64\takeown.exe
  "C:\Windows\SysWOW64\takeown.exe"
  2⤵
  - Modifies file permissions
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-16-0x0000000003B00000-0x0000000003C00000-memory.dmp

Filesize
1024KB

Download
memory/1232-18-0x0000000008CE0000-0x000000000A2CA000-memory.dmp

Filesize
21.9MB

Download
memory/1232-26-0x0000000008CE0000-0x000000000A2CA000-memory.dmp

Filesize
21.9MB

Download
memory/2192-11-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2192-0-0x00000000001F0000-0x00000000002BE000-memory.dmp

Filesize
824KB

Download
memory/2192-2-0x0000000000910000-0x0000000000950000-memory.dmp

Filesize
256KB

Download
memory/2192-3-0x0000000000950000-0x0000000000970000-memory.dmp

Filesize
128KB

Download
memory/2192-4-0x0000000000720000-0x0000000000734000-memory.dmp

Filesize
80KB

Download
memory/2192-5-0x00000000004D0000-0x000000000055A000-memory.dmp

Filesize
552KB

Download
memory/2192-1-0x0000000074790000-0x0000000074E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-27-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2932-25-0x0000000000600000-0x00000000006A1000-memory.dmp

Filesize
644KB

Download
memory/2932-23-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2932-24-0x00000000022D0000-0x00000000025D3000-memory.dmp

Filesize
3.0MB

Download
memory/2932-20-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/2932-28-0x0000000000600000-0x00000000006A1000-memory.dmp

Filesize
644KB

Download
memory/2932-19-0x0000000000080000-0x00000000000BF000-memory.dmp

Filesize
252KB

Download
memory/3036-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-17-0x00000000002C0000-0x00000000002E2000-memory.dmp

Filesize
136KB

Download
memory/3036-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-22-0x00000000002C0000-0x00000000002E2000-memory.dmp

Filesize
136KB

Download
memory/3036-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-12-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/3036-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3036-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3036-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing