e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67

General

Target

e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
Size

1.4MB
MD5

4b9ae3ddf312aecbd5565378c9834c50
SHA1

99efa90050a1a0eae5de992c89a5a2c8ad067d0b
SHA256

e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67
SHA512

36282a300299cecd11a89b112722c808fb8ce5e381456d9a45b1992b3d072c67e50c6b64802e625de3e2e3041d82e36696475eda799453603723aafe4ba8e510
SSDEEP

24576:aNmF/mnBoDM5f7F23rKZk+61i5cCPWZj+VhL8OamPRKplJfVXT24WTEvzHJDsP:aYVZo5Tc30k+61i5cYWZjSTDPYtfVjNG

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ms.exe

pid process

1684 ms.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1376 takeown.exe
1764 icacls.exe
Loads dropped DLL 1 IoCs

Processes:

e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe

pid process

1636 e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1376 takeown.exe
1764 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1684	ms.exe

pid	process
1376	takeown.exe
1764	icacls.exe

pid	process
1376	takeown.exe
1764	icacls.exe

Drops file in Windows directory 2 IoCs

Processes:

e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Bef.tmp	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
File opened for modification	C:\Windows\yre.tmp	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe

pid	process
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 1376 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ms.exe

pid process

1684 ms.exe
1684 ms.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1376	takeown.exe

pid	process
1684	ms.exe
1684	ms.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exems.exe

description	pid	process	target process
PID 1636 wrote to memory of 1684	1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe	ms.exe
PID 1636 wrote to memory of 1684	1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe	ms.exe
PID 1636 wrote to memory of 1684	1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe	ms.exe
PID 1636 wrote to memory of 1684	1636	e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe	ms.exe
PID 1684 wrote to memory of 1376	1684	ms.exe	takeown.exe
PID 1684 wrote to memory of 1376	1684	ms.exe	takeown.exe
PID 1684 wrote to memory of 1376	1684	ms.exe	takeown.exe
PID 1684 wrote to memory of 1376	1684	ms.exe	takeown.exe
PID 1684 wrote to memory of 1764	1684	ms.exe	icacls.exe
PID 1684 wrote to memory of 1764	1684	ms.exe	icacls.exe
PID 1684 wrote to memory of 1764	1684	ms.exe	icacls.exe
PID 1684 wrote to memory of 1764	1684	ms.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe
"C:\Users\Admin\AppData\Local\Temp\e23a84573f263fa777d4960bb80c11fe48408edf640b0b1c0da886fc08e7fc67.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\ms.exe
C:\Users\Admin\AppData\Local\Temp\ms.exe k
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\takeown.exe
takeown /f "C:\WINDOWS\system32\Sens.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\icacls.exe
icacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a6c6dc74d7f061d01ef9b2cc4451a760

SHA1
46158a4b95126d95e0187ce066126c9482b44568

SHA256
c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915

SHA512
800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a6c6dc74d7f061d01ef9b2cc4451a760

SHA1
46158a4b95126d95e0187ce066126c9482b44568

SHA256
c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915

SHA512
800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd

Download Submit
\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a6c6dc74d7f061d01ef9b2cc4451a760

SHA1
46158a4b95126d95e0187ce066126c9482b44568

SHA256
c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915

SHA512
800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd

Download Submit
memory/1376-60-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1684-56-0x0000000000000000-mapping.dmp

Download
memory/1764-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads