Analysis
-
max time kernel
91s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 16:23
Static task
static1
Behavioral task
behavioral1
Sample
57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe
Resource
win7-20220812-en
General
-
Target
57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe
-
Size
1.4MB
-
MD5
2969c4f300f503224dbe0cb5ef4635a0
-
SHA1
05979b0ad0aa25708a252151df9348e05aff5e8d
-
SHA256
57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a
-
SHA512
27ed6d9618604a3226387e89763c91b8ee64f79b292e7601ef58fd0b66ecd1e87b5219bab7805233f4e32b6f94302e113de62bcf332b5ed197e22c0fe0bb07e0
-
SSDEEP
24576:pNmF/mnBoDM5f7F2PdcclPqVX7TwBTGQOD6N+FrFFZVHgIRlSlNI8TNmKDLmMbWP:pYVZo5TcPB1o1fAIXQFhZbbWP
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 900 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 836 takeown.exe 1248 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 836 takeown.exe 1248 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe File opened for modification C:\Windows\yre.tmp 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exepid process 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 836 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 900 ms.exe 900 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exems.exedescription pid process target process PID 2228 wrote to memory of 900 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe ms.exe PID 2228 wrote to memory of 900 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe ms.exe PID 2228 wrote to memory of 900 2228 57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe ms.exe PID 900 wrote to memory of 836 900 ms.exe takeown.exe PID 900 wrote to memory of 836 900 ms.exe takeown.exe PID 900 wrote to memory of 1248 900 ms.exe icacls.exe PID 900 wrote to memory of 1248 900 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe"C:\Users\Admin\AppData\Local\Temp\57de8405551752af51d5a58398c9824df65bd528196cdbc53e7c6876176a2e0a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
374KB
MD5e21f0e5ed816245b42287b62cfce0d8d
SHA19baa245bd46f2709cc3827f33765743cff573187
SHA256234681f68fd33a669ce7e4ab3ea58aa5b870a246a41a4e3f302a3ef3c873916c
SHA5124db02f1853dab977e7984fb18dd2ca7991d961eb7e9cb224ec29d3323faa2b2b357f242bac2766a5db812ffc96d91e7cd5dc3d7dc6308fd06d839e9c06c2e4a3
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
374KB
MD5e21f0e5ed816245b42287b62cfce0d8d
SHA19baa245bd46f2709cc3827f33765743cff573187
SHA256234681f68fd33a669ce7e4ab3ea58aa5b870a246a41a4e3f302a3ef3c873916c
SHA5124db02f1853dab977e7984fb18dd2ca7991d961eb7e9cb224ec29d3323faa2b2b357f242bac2766a5db812ffc96d91e7cd5dc3d7dc6308fd06d839e9c06c2e4a3
-
memory/836-135-0x0000000000000000-mapping.dmp
-
memory/900-132-0x0000000000000000-mapping.dmp
-
memory/1248-136-0x0000000000000000-mapping.dmp