Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe
Resource
win7-20220812-en
General
-
Target
aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe
-
Size
1.4MB
-
MD5
0e8a8fa96a1418741c15af44cb690750
-
SHA1
717adca2fba6c964724c54841c6921e50d393138
-
SHA256
aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f
-
SHA512
ca98f2e96f5b376370b38569cf88d52d1f80283b4113e597aabdcee62d6ab80680c2bf1441fdd735b4feed1c48d59f3af06371a2c494b2a58f65518a9c29d294
-
SSDEEP
24576:4NmF/mnBoDM5f7F2hQHhToIzdF9s8kwWcMXixJH9GSG+VLUx3GHE074:4YVZo5TchQBvj9tWXaJHkMLhkS4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 4772 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1296 takeown.exe 1384 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1296 takeown.exe 1384 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe File opened for modification C:\Windows\yre.tmp aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exepid process 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1296 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 4772 ms.exe 4772 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exems.exedescription pid process target process PID 4580 wrote to memory of 4772 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe ms.exe PID 4580 wrote to memory of 4772 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe ms.exe PID 4580 wrote to memory of 4772 4580 aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe ms.exe PID 4772 wrote to memory of 1296 4772 ms.exe takeown.exe PID 4772 wrote to memory of 1296 4772 ms.exe takeown.exe PID 4772 wrote to memory of 1384 4772 ms.exe icacls.exe PID 4772 wrote to memory of 1384 4772 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe"C:\Users\Admin\AppData\Local\Temp\aa4fc09d9ec7aeaebdad9476ce520e1a1e0defd5fd8a5886f0f88f8fa6ea542f.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1296 -
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1384
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
memory/1296-135-0x0000000000000000-mapping.dmp
-
memory/1384-136-0x0000000000000000-mapping.dmp
-
memory/4772-132-0x0000000000000000-mapping.dmp