Analysis
-
max time kernel
50s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 14:47
Static task
static1
Behavioral task
behavioral1
Sample
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
Resource
win7-20220812-en
General
-
Target
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe
-
Size
1.1MB
-
MD5
f9c64b335af3eb2ec7c47e1b84cec634
-
SHA1
628903e88655b3f5602499310f363633b8c84646
-
SHA256
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d
-
SHA512
a513bd1719071cdefdbd57bcf6556e014411db39b2ebece883307c591dd5bf8e72c7d46851ccebe9f0d7cc2dda77b9cc9fb9aeb3ef0586c854e9412cb582e1a9
-
SSDEEP
24576:yNef3/2LsboXWqXCjHxCIDQw3DxFbT86UBpnnKo1tk:yofTboPXC7xCIHP8nnnKojk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 660 tmp.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 912 takeown.exe 836 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exepid process 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 836 icacls.exe 912 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe File opened for modification C:\Windows\yre.tmp 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exepid process 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 912 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exepid process 660 tmp.exe 660 tmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exetmp.exedescription pid process target process PID 1440 wrote to memory of 660 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe tmp.exe PID 1440 wrote to memory of 660 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe tmp.exe PID 1440 wrote to memory of 660 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe tmp.exe PID 1440 wrote to memory of 660 1440 9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe tmp.exe PID 660 wrote to memory of 912 660 tmp.exe takeown.exe PID 660 wrote to memory of 912 660 tmp.exe takeown.exe PID 660 wrote to memory of 912 660 tmp.exe takeown.exe PID 660 wrote to memory of 912 660 tmp.exe takeown.exe PID 660 wrote to memory of 836 660 tmp.exe icacls.exe PID 660 wrote to memory of 836 660 tmp.exe icacls.exe PID 660 wrote to memory of 836 660 tmp.exe icacls.exe PID 660 wrote to memory of 836 660 tmp.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe"C:\Users\Admin\AppData\Local\Temp\9aea7e54c9845a7dfd55bc0e195f0d84ed66bf892e930437be40404bad71135d.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
379KB
MD50eb15c0ac0f60c4a0eaf27951802955c
SHA1611128d4583f1101fd65b90275a8712b8ac1e04d
SHA256f9dd2ae8c06ce78f46551d4eb635a2f4e0adacf9af220869649d07da9eff1e2f
SHA512cfcfcdd26096bd31e328d4c2344cd2b6216385b306f0bd8aeb5b2c6570ccb56782163189bfa8baf87a5277a208e3e89741a82f5f238ac2879c704c5cd6a09f15
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
379KB
MD50eb15c0ac0f60c4a0eaf27951802955c
SHA1611128d4583f1101fd65b90275a8712b8ac1e04d
SHA256f9dd2ae8c06ce78f46551d4eb635a2f4e0adacf9af220869649d07da9eff1e2f
SHA512cfcfcdd26096bd31e328d4c2344cd2b6216385b306f0bd8aeb5b2c6570ccb56782163189bfa8baf87a5277a208e3e89741a82f5f238ac2879c704c5cd6a09f15
-
\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
379KB
MD50eb15c0ac0f60c4a0eaf27951802955c
SHA1611128d4583f1101fd65b90275a8712b8ac1e04d
SHA256f9dd2ae8c06ce78f46551d4eb635a2f4e0adacf9af220869649d07da9eff1e2f
SHA512cfcfcdd26096bd31e328d4c2344cd2b6216385b306f0bd8aeb5b2c6570ccb56782163189bfa8baf87a5277a208e3e89741a82f5f238ac2879c704c5cd6a09f15
-
memory/660-56-0x0000000000000000-mapping.dmp
-
memory/836-61-0x0000000000000000-mapping.dmp
-
memory/912-60-0x0000000000000000-mapping.dmp
-
memory/1440-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB