Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 16:23
Static task
static1
Behavioral task
behavioral1
Sample
cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe
Resource
win7-20220901-en
General
-
Target
cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe
-
Size
1.4MB
-
MD5
00cf659d090128d7211df472c273be80
-
SHA1
df0aade9ea762ddf27a4178495e25e3f972e8e8e
-
SHA256
cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a
-
SHA512
c2d95d0cfa8c530b7db14a43befe701447d6197f3b6e09097e46f4ba6f66a3c49c4712496a4973e0b3e76969d62cf09049b714f0f4ddc300893b27dbfc8574ec
-
SSDEEP
24576:zNmF/mnBoDM5f7F2JQRKZk+61i5cCPWZj+VhL8OamPRKplJfVXT24WTEvzHJDsY:zYVZo5TcJQqk+61i5cYWZjSTDPYtfVjv
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 5064 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4384 takeown.exe 3980 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4384 takeown.exe 3980 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe File opened for modification C:\Windows\yre.tmp cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exepid process 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4384 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 5064 ms.exe 5064 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exems.exedescription pid process target process PID 4944 wrote to memory of 5064 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe ms.exe PID 4944 wrote to memory of 5064 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe ms.exe PID 4944 wrote to memory of 5064 4944 cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe ms.exe PID 5064 wrote to memory of 4384 5064 ms.exe takeown.exe PID 5064 wrote to memory of 4384 5064 ms.exe takeown.exe PID 5064 wrote to memory of 3980 5064 ms.exe icacls.exe PID 5064 wrote to memory of 3980 5064 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe"C:\Users\Admin\AppData\Local\Temp\cfd379f4cd6f30427f085a20aa96aa404f7a9745dba47625126503f2aec9008a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a6c6dc74d7f061d01ef9b2cc4451a760
SHA146158a4b95126d95e0187ce066126c9482b44568
SHA256c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915
SHA512800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a6c6dc74d7f061d01ef9b2cc4451a760
SHA146158a4b95126d95e0187ce066126c9482b44568
SHA256c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915
SHA512800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd
-
memory/3980-136-0x0000000000000000-mapping.dmp
-
memory/4384-135-0x0000000000000000-mapping.dmp
-
memory/5064-132-0x0000000000000000-mapping.dmp