Analysis
-
max time kernel
178s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 12:37
Static task
static1
Behavioral task
behavioral1
Sample
35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe
Resource
win7-20220812-en
General
-
Target
35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe
-
Size
1.1MB
-
MD5
6c2bbe7cccfb05c34d6ec356ac0f05f8
-
SHA1
4c34dcefe2acf223430313185d61884626a95aee
-
SHA256
35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf
-
SHA512
b36ba008d2bee73bfd73369379e051bab5066bfa0314cce8650b0dfc1297aad35b7bc501181026c9d5c09cd79376f1003111e75e1dd9770e5d1a2db85429f030
-
SSDEEP
24576:WNef3/2LsboXZvAG1kGk7DJ8kGjbXsUEGzQJyKeDYwxFYLua:WofTbotv1kGg87b3EGzQsBDYwcya
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 3532 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1748 takeown.exe 2752 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 2752 icacls.exe 1748 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe File opened for modification C:\Windows\yre.tmp 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exepid process 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1748 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 3532 ms.exe 3532 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exems.exedescription pid process target process PID 4728 wrote to memory of 3532 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe ms.exe PID 4728 wrote to memory of 3532 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe ms.exe PID 4728 wrote to memory of 3532 4728 35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe ms.exe PID 3532 wrote to memory of 1748 3532 ms.exe takeown.exe PID 3532 wrote to memory of 1748 3532 ms.exe takeown.exe PID 3532 wrote to memory of 2752 3532 ms.exe icacls.exe PID 3532 wrote to memory of 2752 3532 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe"C:\Users\Admin\AppData\Local\Temp\35438960f83f6e40b46354f6e29e646a1255463c248d51dab60508e094240adf.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD52338b921e8252eb4bc168d2278a89b1e
SHA15463f50f551a624c513946d1717781b79e06846a
SHA2566b33663b37f550b3f3e78a5348423c14cf4e3b1dff6d369530ae04efd65bcbf7
SHA512232cf5b5c40fa6752c31ea60629587044767df65216841b72061b26d07a86a7a6e48ffdbc6d6303c94d437ceec8c42be46401ff9cbf0a62d59c550153226ff52
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD52338b921e8252eb4bc168d2278a89b1e
SHA15463f50f551a624c513946d1717781b79e06846a
SHA2566b33663b37f550b3f3e78a5348423c14cf4e3b1dff6d369530ae04efd65bcbf7
SHA512232cf5b5c40fa6752c31ea60629587044767df65216841b72061b26d07a86a7a6e48ffdbc6d6303c94d437ceec8c42be46401ff9cbf0a62d59c550153226ff52
-
memory/1748-135-0x0000000000000000-mapping.dmp
-
memory/2752-136-0x0000000000000000-mapping.dmp
-
memory/3532-132-0x0000000000000000-mapping.dmp