Analysis
-
max time kernel
82s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 23:53
Static task
static1
Behavioral task
behavioral1
Sample
d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe
Resource
win7-20220812-en
General
-
Target
d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe
-
Size
1.4MB
-
MD5
34dbc284ee742adf9ab6d0e749d55ab0
-
SHA1
91c50cef6a4d3bf1ed3ffbe70041a730932601d4
-
SHA256
d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999
-
SHA512
a4a02a6e46adcee086d988d9034f68df1704b90b349ea973ea35ba68ee44e27302c3811349c7dd357fa32fe80c228399c6c619d032eee5813287b576662dce01
-
SSDEEP
24576:ONmF/mnBoDM5f7F2JQRKZk+61i5cCPWZj+VhL8OamPRKplJfVXT24WTEvzHJDsZ:OYVZo5TcJQqk+61i5cYWZjSTDPYtfVji
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 1092 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 5108 takeown.exe 4092 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 5108 takeown.exe 4092 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe File opened for modification C:\Windows\yre.tmp d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exepid process 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 5108 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 1092 ms.exe 1092 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exems.exedescription pid process target process PID 3012 wrote to memory of 1092 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe ms.exe PID 3012 wrote to memory of 1092 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe ms.exe PID 3012 wrote to memory of 1092 3012 d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe ms.exe PID 1092 wrote to memory of 5108 1092 ms.exe takeown.exe PID 1092 wrote to memory of 5108 1092 ms.exe takeown.exe PID 1092 wrote to memory of 4092 1092 ms.exe icacls.exe PID 1092 wrote to memory of 4092 1092 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe"C:\Users\Admin\AppData\Local\Temp\d041dabeca1eb963541240cdbd8619068ed36a42e16d649c866e375dc4c99999.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a6c6dc74d7f061d01ef9b2cc4451a760
SHA146158a4b95126d95e0187ce066126c9482b44568
SHA256c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915
SHA512800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a6c6dc74d7f061d01ef9b2cc4451a760
SHA146158a4b95126d95e0187ce066126c9482b44568
SHA256c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915
SHA512800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd
-
memory/1092-132-0x0000000000000000-mapping.dmp
-
memory/4092-136-0x0000000000000000-mapping.dmp
-
memory/5108-135-0x0000000000000000-mapping.dmp