4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b

General

Target

4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
Size

1.4MB
MD5

41567638ed986e800ede778a0d121b30
SHA1

9cc68d2a46eace0644ccb9b42ed1ba22ed7f4a77
SHA256

4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b
SHA512

90c94a7ff68482833dbe3e6707f76c4ae0aafd2f97ef8736f3a2f1240672dcfebe0de7ed542d2cc08a9fbaf30a693d350802f5b34960979b889f48ecd7e8eea0
SSDEEP

24576:rNmF/mnBoDM5f7F2hQHhToIzdF9s8kwWcMXixJH9GSG+VLUx3GHE07p:rYVZo5TchQBvj9tWXaJHkMLhkSp

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1960	ms.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
696	takeown.exe
396	icacls.exe

Loads dropped DLL 1 IoCs

pid	Process
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
696	takeown.exe
396	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Bef.tmp	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
File opened for modification	C:\Windows\yre.tmp	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	696	takeown.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1960	ms.exe
1960	ms.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1960	1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe	30
PID 1956 wrote to memory of 1960	1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe	30
PID 1956 wrote to memory of 1960	1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe	30
PID 1956 wrote to memory of 1960	1956	4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe	30
PID 1960 wrote to memory of 696	1960	ms.exe	31
PID 1960 wrote to memory of 696	1960	ms.exe	31
PID 1960 wrote to memory of 696	1960	ms.exe	31
PID 1960 wrote to memory of 696	1960	ms.exe	31
PID 1960 wrote to memory of 396	1960	ms.exe	33
PID 1960 wrote to memory of 396	1960	ms.exe	33
PID 1960 wrote to memory of 396	1960	ms.exe	33
PID 1960 wrote to memory of 396	1960	ms.exe	33

C:\Users\Admin\AppData\Local\Temp\4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe
"C:\Users\Admin\AppData\Local\Temp\4500f8d91c1e1e888064d93818db065eb5189c0d9bb8640acd5a0639059d4d9b.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\ms.exe
  C:\Users\Admin\AppData\Local\Temp\ms.exe k
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\WINDOWS\system32\Sens.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- - C:\Windows\system32\icacls.exe
    icacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ms.exe

Filesize
424KB

MD5
224ee144eb388979711b9c37411418c4

SHA1
4537031b414f1ce14182076996d72aaf710710be

SHA256
d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253

SHA512
cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms.exe

Filesize
424KB

MD5
224ee144eb388979711b9c37411418c4

SHA1
4537031b414f1ce14182076996d72aaf710710be

SHA256
d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253

SHA512
cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d

Download Submit
\Users\Admin\AppData\Local\Temp\ms.exe

Filesize
424KB

MD5
224ee144eb388979711b9c37411418c4

SHA1
4537031b414f1ce14182076996d72aaf710710be

SHA256
d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253

SHA512
cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d

Download Submit
memory/1956-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing