279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c

General

Target

279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
Size

1.4MB
MD5

4ec64af48c4a2e24a263f457c7ae8a10
SHA1

e7d3f3edcb76fc9e7f91efc0d2f2fc6caabcfa10
SHA256

279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c
SHA512

2bdf046eb000eb98d90ea3ca66c80c21982551573c89805edf6997b45abf0907f0d135aeb3faa0e6f682de109ace88dfa312522f3d67cf3e55ae4c2504936bce
SSDEEP

24576:oNmF/mnBoDM5f7F2OdcclPqVX7TwBTGQOD6N+FrFv+YRqoAVaVvcnMwz3FHCckcQ:oYVZo5TcOB1o/+YRq3VflpHDkiSAS

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ms.exe

pid process

664 ms.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1808 takeown.exe
1704 icacls.exe
Loads dropped DLL 1 IoCs

Processes:

279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe

pid process

1164 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1808 takeown.exe
1704 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
664	ms.exe

pid	process
1808	takeown.exe
1704	icacls.exe

pid	process
1808	takeown.exe
1704	icacls.exe

Drops file in Windows directory 2 IoCs

Processes:

279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Bef.tmp	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
File opened for modification	C:\Windows\yre.tmp	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe

pid	process
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 1808 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ms.exe

pid process

664 ms.exe
664 ms.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1808	takeown.exe

pid	process
664	ms.exe
664	ms.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exems.exe

description	pid	process	target process
PID 1164 wrote to memory of 664	1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe	ms.exe
PID 1164 wrote to memory of 664	1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe	ms.exe
PID 1164 wrote to memory of 664	1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe	ms.exe
PID 1164 wrote to memory of 664	1164	279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe	ms.exe
PID 664 wrote to memory of 1808	664	ms.exe	takeown.exe
PID 664 wrote to memory of 1808	664	ms.exe	takeown.exe
PID 664 wrote to memory of 1808	664	ms.exe	takeown.exe
PID 664 wrote to memory of 1808	664	ms.exe	takeown.exe
PID 664 wrote to memory of 1704	664	ms.exe	icacls.exe
PID 664 wrote to memory of 1704	664	ms.exe	icacls.exe
PID 664 wrote to memory of 1704	664	ms.exe	icacls.exe
PID 664 wrote to memory of 1704	664	ms.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
"C:\Users\Admin\AppData\Local\Temp\279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\ms.exe
C:\Users\Admin\AppData\Local\Temp\ms.exe k
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\takeown.exe
takeown /f "C:\WINDOWS\system32\Sens.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\system32\icacls.exe
icacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
374KB

MD5
4a77233b0ca85dab5e3ce6da30d5dd6b

SHA1
87af1e046d104beb8d607a6c577991f4752ff88b

SHA256
7eeef1656f6d406d99c49e1ebd8192ed56191ec5ed7a7ee72612cbd5be376464

SHA512
0fff259c935b0ed279bb1a026d82c01b5edf875061947ee91acf8698fa2a72a5810f9b97dc24b84fbb1e6f541f7d87159fea38c22af125f683589585389fbdc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
374KB

MD5
4a77233b0ca85dab5e3ce6da30d5dd6b

SHA1
87af1e046d104beb8d607a6c577991f4752ff88b

SHA256
7eeef1656f6d406d99c49e1ebd8192ed56191ec5ed7a7ee72612cbd5be376464

SHA512
0fff259c935b0ed279bb1a026d82c01b5edf875061947ee91acf8698fa2a72a5810f9b97dc24b84fbb1e6f541f7d87159fea38c22af125f683589585389fbdc7

Download Submit
\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
374KB

MD5
4a77233b0ca85dab5e3ce6da30d5dd6b

SHA1
87af1e046d104beb8d607a6c577991f4752ff88b

SHA256
7eeef1656f6d406d99c49e1ebd8192ed56191ec5ed7a7ee72612cbd5be376464

SHA512
0fff259c935b0ed279bb1a026d82c01b5edf875061947ee91acf8698fa2a72a5810f9b97dc24b84fbb1e6f541f7d87159fea38c22af125f683589585389fbdc7

Download Submit
memory/664-56-0x0000000000000000-mapping.dmp

Download
memory/1164-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1704-61-0x0000000000000000-mapping.dmp

Download
memory/1808-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads