Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 16:23
Static task
static1
Behavioral task
behavioral1
Sample
279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
Resource
win7-20220812-en
General
-
Target
279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe
-
Size
1.4MB
-
MD5
4ec64af48c4a2e24a263f457c7ae8a10
-
SHA1
e7d3f3edcb76fc9e7f91efc0d2f2fc6caabcfa10
-
SHA256
279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c
-
SHA512
2bdf046eb000eb98d90ea3ca66c80c21982551573c89805edf6997b45abf0907f0d135aeb3faa0e6f682de109ace88dfa312522f3d67cf3e55ae4c2504936bce
-
SSDEEP
24576:oNmF/mnBoDM5f7F2OdcclPqVX7TwBTGQOD6N+FrFv+YRqoAVaVvcnMwz3FHCckcQ:oYVZo5TcOB1o/+YRq3VflpHDkiSAS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 4652 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3612 takeown.exe 2820 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3612 takeown.exe 2820 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe File opened for modification C:\Windows\yre.tmp 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exepid process 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3612 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 4652 ms.exe 4652 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exems.exedescription pid process target process PID 4036 wrote to memory of 4652 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe ms.exe PID 4036 wrote to memory of 4652 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe ms.exe PID 4036 wrote to memory of 4652 4036 279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe ms.exe PID 4652 wrote to memory of 3612 4652 ms.exe takeown.exe PID 4652 wrote to memory of 3612 4652 ms.exe takeown.exe PID 4652 wrote to memory of 2820 4652 ms.exe icacls.exe PID 4652 wrote to memory of 2820 4652 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe"C:\Users\Admin\AppData\Local\Temp\279aa6df8ab27308a68bf576a724eceb099b856bf24b4929813fabbb1f8f073c.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
374KB
MD54a77233b0ca85dab5e3ce6da30d5dd6b
SHA187af1e046d104beb8d607a6c577991f4752ff88b
SHA2567eeef1656f6d406d99c49e1ebd8192ed56191ec5ed7a7ee72612cbd5be376464
SHA5120fff259c935b0ed279bb1a026d82c01b5edf875061947ee91acf8698fa2a72a5810f9b97dc24b84fbb1e6f541f7d87159fea38c22af125f683589585389fbdc7
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
374KB
MD54a77233b0ca85dab5e3ce6da30d5dd6b
SHA187af1e046d104beb8d607a6c577991f4752ff88b
SHA2567eeef1656f6d406d99c49e1ebd8192ed56191ec5ed7a7ee72612cbd5be376464
SHA5120fff259c935b0ed279bb1a026d82c01b5edf875061947ee91acf8698fa2a72a5810f9b97dc24b84fbb1e6f541f7d87159fea38c22af125f683589585389fbdc7
-
memory/2820-136-0x0000000000000000-mapping.dmp
-
memory/3612-135-0x0000000000000000-mapping.dmp
-
memory/4652-132-0x0000000000000000-mapping.dmp