Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-10-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe
Resource
win7-20220812-en
General
-
Target
5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe
-
Size
1.4MB
-
MD5
00fcdb991966bbd97c9b00ee31359b20
-
SHA1
439d96c31a7f99d0fe558908650140001047cfbf
-
SHA256
5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221
-
SHA512
6068eb99c3a44f069a246c866dedeeaf77fc9af39e16341f4b037e93619f52c837355fde83fe10cc320ad2afef94cd2d4c9cf69ba48d42d40337a8463c2b1297
-
SSDEEP
24576:kNmF/mnBoDM5f7F2hQHhToIzdF9s8kwWcMXixJH9GSG+VLUx3GHE07d:kYVZo5TchQBvj9tWXaJHkMLhkSd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 4984 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3756 takeown.exe 4544 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3756 takeown.exe 4544 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exedescription ioc process File opened for modification C:\Windows\yre.tmp 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe File opened for modification C:\WINDOWS\Bef.tmp 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exepid process 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3756 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 4984 ms.exe 4984 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exems.exedescription pid process target process PID 4528 wrote to memory of 4984 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe ms.exe PID 4528 wrote to memory of 4984 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe ms.exe PID 4528 wrote to memory of 4984 4528 5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe ms.exe PID 4984 wrote to memory of 3756 4984 ms.exe takeown.exe PID 4984 wrote to memory of 3756 4984 ms.exe takeown.exe PID 4984 wrote to memory of 4544 4984 ms.exe icacls.exe PID 4984 wrote to memory of 4544 4984 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe"C:\Users\Admin\AppData\Local\Temp\5550e19f03a974d9a74cede37e5b01633d94d0bf897edca486d821ef53bca221.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
memory/3756-135-0x0000000000000000-mapping.dmp
-
memory/4544-136-0x0000000000000000-mapping.dmp
-
memory/4984-132-0x0000000000000000-mapping.dmp