Analysis
-
max time kernel
48s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-10-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe
Resource
win7-20220901-en
General
-
Target
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe
-
Size
1.4MB
-
MD5
0b069e6bee51dc6325e33d484a4b9a80
-
SHA1
1ceaf2a7ea247149bc1dc3cdac7d50bc38ce52f7
-
SHA256
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94
-
SHA512
76d63d9fcf406e80d4e94c34d3cfb88d69cf969bf71fe86405f765525b145421d6dde10f0adad62d1b8109969361f64f86008c0644bafdc76b0c2bf494b32766
-
SSDEEP
24576:xNmF/mnBoDM5f7F2DdcclPqVX7TwBTGQOD6N+FrF7MDdhrfkG4QpB/7R3TyLOPy9:xYVZo5TcDB1oAJhrfdPn7R3Tciy9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 1756 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1656 takeown.exe 684 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exepid process 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1656 takeown.exe 684 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe File opened for modification C:\Windows\yre.tmp 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exepid process 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1656 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 1756 ms.exe 1756 ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exems.exedescription pid process target process PID 1376 wrote to memory of 1756 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 1376 wrote to memory of 1756 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 1376 wrote to memory of 1756 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 1376 wrote to memory of 1756 1376 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 1756 wrote to memory of 1656 1756 ms.exe takeown.exe PID 1756 wrote to memory of 1656 1756 ms.exe takeown.exe PID 1756 wrote to memory of 1656 1756 ms.exe takeown.exe PID 1756 wrote to memory of 1656 1756 ms.exe takeown.exe PID 1756 wrote to memory of 684 1756 ms.exe icacls.exe PID 1756 wrote to memory of 684 1756 ms.exe icacls.exe PID 1756 wrote to memory of 684 1756 ms.exe icacls.exe PID 1756 wrote to memory of 684 1756 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe"C:\Users\Admin\AppData\Local\Temp\91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
memory/684-61-0x0000000000000000-mapping.dmp
-
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1656-60-0x0000000000000000-mapping.dmp
-
memory/1756-56-0x0000000000000000-mapping.dmp