Analysis
-
max time kernel
42s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 12:30
Static task
static1
Behavioral task
behavioral1
Sample
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe
Resource
win7-20220901-en
General
-
Target
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe
-
Size
1.1MB
-
MD5
2aa007bd0ada9a53254566aded67ddf7
-
SHA1
b970966645faa3c93db50f226a0511c519cc3517
-
SHA256
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8
-
SHA512
db813a9d5a809b06f98238454ac6f8e9228c3a30dd620deb293c0acbdf751593eb42fda75b263fe5c0800aba8cf86a85b372c697860c9ea9dbb8b476d3630df5
-
SSDEEP
24576:dNef3/2LsboXZvWIRJ672D85y3y5tNVS9:dofTbot1T67233Iu9
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 1504 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 276 takeown.exe 824 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exepid process 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 276 takeown.exe 824 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe File opened for modification C:\Windows\yre.tmp 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exepid process 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 276 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 1504 ms.exe 1504 ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exems.exedescription pid process target process PID 1228 wrote to memory of 1504 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe ms.exe PID 1228 wrote to memory of 1504 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe ms.exe PID 1228 wrote to memory of 1504 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe ms.exe PID 1228 wrote to memory of 1504 1228 85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe ms.exe PID 1504 wrote to memory of 276 1504 ms.exe takeown.exe PID 1504 wrote to memory of 276 1504 ms.exe takeown.exe PID 1504 wrote to memory of 276 1504 ms.exe takeown.exe PID 1504 wrote to memory of 276 1504 ms.exe takeown.exe PID 1504 wrote to memory of 824 1504 ms.exe icacls.exe PID 1504 wrote to memory of 824 1504 ms.exe icacls.exe PID 1504 wrote to memory of 824 1504 ms.exe icacls.exe PID 1504 wrote to memory of 824 1504 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe"C:\Users\Admin\AppData\Local\Temp\85b6cec049ce9d11b1003ee01b5c2b49a29b9ed365528872f487284bf7c061d8.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:276 -
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
467KB
MD567acc4c8825164c7e72cbcdf48e4c09c
SHA1b4fadd7d853200db54cd1b10645dcd01c00d82a8
SHA256a000aa47277fd73869ad1aa11a86791bb822d2ce9f7da74f3dfb3c3f5f6f1824
SHA51292c270386cfb1d92f88c711382361c2ef117ef95ad97b2e25447250fa5256544fda185fbe9f44497bc3f47ce7f1408ccc9a094d36dc55f606f6b2206811264f2
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
467KB
MD567acc4c8825164c7e72cbcdf48e4c09c
SHA1b4fadd7d853200db54cd1b10645dcd01c00d82a8
SHA256a000aa47277fd73869ad1aa11a86791bb822d2ce9f7da74f3dfb3c3f5f6f1824
SHA51292c270386cfb1d92f88c711382361c2ef117ef95ad97b2e25447250fa5256544fda185fbe9f44497bc3f47ce7f1408ccc9a094d36dc55f606f6b2206811264f2
-
\Users\Admin\AppData\Local\Temp\ms.exeFilesize
467KB
MD567acc4c8825164c7e72cbcdf48e4c09c
SHA1b4fadd7d853200db54cd1b10645dcd01c00d82a8
SHA256a000aa47277fd73869ad1aa11a86791bb822d2ce9f7da74f3dfb3c3f5f6f1824
SHA51292c270386cfb1d92f88c711382361c2ef117ef95ad97b2e25447250fa5256544fda185fbe9f44497bc3f47ce7f1408ccc9a094d36dc55f606f6b2206811264f2
-
memory/276-60-0x0000000000000000-mapping.dmp
-
memory/824-61-0x0000000000000000-mapping.dmp
-
memory/1228-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1504-56-0x0000000000000000-mapping.dmp