Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe
Resource
win7-20220901-en
General
-
Target
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe
-
Size
1.4MB
-
MD5
0b069e6bee51dc6325e33d484a4b9a80
-
SHA1
1ceaf2a7ea247149bc1dc3cdac7d50bc38ce52f7
-
SHA256
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94
-
SHA512
76d63d9fcf406e80d4e94c34d3cfb88d69cf969bf71fe86405f765525b145421d6dde10f0adad62d1b8109969361f64f86008c0644bafdc76b0c2bf494b32766
-
SSDEEP
24576:xNmF/mnBoDM5f7F2DdcclPqVX7TwBTGQOD6N+FrF7MDdhrfkG4QpB/7R3TyLOPy9:xYVZo5TcDB1oAJhrfdPn7R3Tciy9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 3948 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1928 takeown.exe 4604 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1928 takeown.exe 4604 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe File opened for modification C:\Windows\yre.tmp 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exepid process 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1928 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 3948 ms.exe 3948 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exems.exedescription pid process target process PID 3064 wrote to memory of 3948 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 3064 wrote to memory of 3948 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 3064 wrote to memory of 3948 3064 91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe ms.exe PID 3948 wrote to memory of 1928 3948 ms.exe takeown.exe PID 3948 wrote to memory of 1928 3948 ms.exe takeown.exe PID 3948 wrote to memory of 4604 3948 ms.exe icacls.exe PID 3948 wrote to memory of 4604 3948 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe"C:\Users\Admin\AppData\Local\Temp\91ece77d4c21f6bbc7849c6752ec557ff9ce3758910e58a8fbec0b80d8d24b94.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
memory/1928-135-0x0000000000000000-mapping.dmp
-
memory/3948-132-0x0000000000000000-mapping.dmp
-
memory/4604-136-0x0000000000000000-mapping.dmp