9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d

General

Target

9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
Size

1.1MB
MD5

f9c64b335af3eb2ec7c47e1b84cec634
SHA1

628903e88655b3f5602499310f363633b8c84646
SHA256

9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d
SHA512

a513bd1719071cdefdbd57bcf6556e014411db39b2ebece883307c591dd5bf8e72c7d46851ccebe9f0d7cc2dda77b9cc9fb9aeb3ef0586c854e9412cb582e1a9
SSDEEP

24576:yNef3/2LsboXWqXCjHxCIDQw3DxFbT86UBpnnKo1tk:yofTboPXC7xCIHP8nnnKojk

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tmp.exe

pid process

660 tmp.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

912 takeown.exe
836 icacls.exe
Loads dropped DLL 1 IoCs

Processes:

9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe

pid process

1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

836 icacls.exe
912 takeown.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
660	tmp.exe

pid	process
912	takeown.exe
836	icacls.exe

pid	process
836	icacls.exe
912	takeown.exe

Drops file in Windows directory 2 IoCs

Processes:

9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Bef.tmp	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
File opened for modification	C:\Windows\yre.tmp	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe

pid	process
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 912 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

660 tmp.exe
660 tmp.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	912	takeown.exe

pid	process
660	tmp.exe
660	tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exetmp.exe

description	pid	process	target process
PID 1440 wrote to memory of 660	1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe	tmp.exe
PID 1440 wrote to memory of 660	1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe	tmp.exe
PID 1440 wrote to memory of 660	1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe	tmp.exe
PID 1440 wrote to memory of 660	1440	9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe	tmp.exe
PID 660 wrote to memory of 912	660	tmp.exe	takeown.exe
PID 660 wrote to memory of 912	660	tmp.exe	takeown.exe
PID 660 wrote to memory of 912	660	tmp.exe	takeown.exe
PID 660 wrote to memory of 912	660	tmp.exe	takeown.exe
PID 660 wrote to memory of 836	660	tmp.exe	icacls.exe
PID 660 wrote to memory of 836	660	tmp.exe	icacls.exe
PID 660 wrote to memory of 836	660	tmp.exe	icacls.exe
PID 660 wrote to memory of 836	660	tmp.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
"C:\Users\Admin\AppData\Local\Temp\9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\system32\takeown.exe
takeown /f "C:\WINDOWS\system32\Sens.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\icacls.exe
icacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
379KB

MD5
0eb15c0ac0f60c4a0eaf27951802955c

SHA1
611128d4583f1101fd65b90275a8712b8ac1e04d

SHA256
f9dd2ae8c06ce78f46551d4eb635a2f4e0adacf9af220869649d07da9eff1e2f

SHA512
cfcfcdd26096bd31e328d4c2344cd2b6216385b306f0bd8aeb5b2c6570ccb56782163189bfa8baf87a5277a208e3e89741a82f5f238ac2879c704c5cd6a09f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
379KB

MD5
0eb15c0ac0f60c4a0eaf27951802955c

SHA1
611128d4583f1101fd65b90275a8712b8ac1e04d

SHA256
f9dd2ae8c06ce78f46551d4eb635a2f4e0adacf9af220869649d07da9eff1e2f

SHA512
cfcfcdd26096bd31e328d4c2344cd2b6216385b306f0bd8aeb5b2c6570ccb56782163189bfa8baf87a5277a208e3e89741a82f5f238ac2879c704c5cd6a09f15

Download Submit
\Users\Admin\AppData\Local\Temp\tmp.exe
Filesize
379KB

MD5
0eb15c0ac0f60c4a0eaf27951802955c

SHA1
611128d4583f1101fd65b90275a8712b8ac1e04d

SHA256
f9dd2ae8c06ce78f46551d4eb635a2f4e0adacf9af220869649d07da9eff1e2f

SHA512
cfcfcdd26096bd31e328d4c2344cd2b6216385b306f0bd8aeb5b2c6570ccb56782163189bfa8baf87a5277a208e3e89741a82f5f238ac2879c704c5cd6a09f15

Download Submit
memory/660-56-0x0000000000000000-mapping.dmp

Download
memory/836-61-0x0000000000000000-mapping.dmp

Download
memory/912-60-0x0000000000000000-mapping.dmp

Download
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads