Analysis
-
max time kernel
112s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 14:31
Static task
static1
Behavioral task
behavioral1
Sample
2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe
Resource
win7-20220812-en
General
-
Target
2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe
-
Size
1.4MB
-
MD5
d7ef40600c2d4031e262ede93a5b1cf2
-
SHA1
55b9dd028f3bb02ec555f5e1ade5379ed8ea297f
-
SHA256
2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24
-
SHA512
64353f23d94a9b3b95991890f10fd47f746c24882d3b05a8b053d48322c2989e8f7239b078f5c3a92cf598e4a4a895bec637aaa783e3de45cb28bc06c488240e
-
SSDEEP
24576:SNmF/mnBoDM5f7F2JQRKZk+61i5cCPWZj+VhL8OamPRKplJfVXT24WTEvzHJDsZ:SYVZo5TcJQqk+61i5cYWZjSTDPYtfVjS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 632 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 3592 icacls.exe 1488 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1488 takeown.exe 3592 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe File opened for modification C:\Windows\yre.tmp 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exepid process 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1488 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 632 ms.exe 632 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exems.exedescription pid process target process PID 2836 wrote to memory of 632 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe ms.exe PID 2836 wrote to memory of 632 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe ms.exe PID 2836 wrote to memory of 632 2836 2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe ms.exe PID 632 wrote to memory of 1488 632 ms.exe takeown.exe PID 632 wrote to memory of 1488 632 ms.exe takeown.exe PID 632 wrote to memory of 3592 632 ms.exe icacls.exe PID 632 wrote to memory of 3592 632 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe"C:\Users\Admin\AppData\Local\Temp\2c4c468225ddabaf2b1fe712fe77217c1ea2a937ecac99fcf78c88751861df24.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a6c6dc74d7f061d01ef9b2cc4451a760
SHA146158a4b95126d95e0187ce066126c9482b44568
SHA256c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915
SHA512800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a6c6dc74d7f061d01ef9b2cc4451a760
SHA146158a4b95126d95e0187ce066126c9482b44568
SHA256c63e23d1efe9bbb79cb80def879c087fafe4ee4dfb4e8918cb0bc9ac72db0915
SHA512800236114c6f9a5a25b425a2ba1f118250b6ecc7d935fa980b2e9408c0d8d1991c2be5fc698ca951375c0fb0d79edd878c323bd230bb7084c2fe7f1362deb3bd
-
memory/632-132-0x0000000000000000-mapping.dmp
-
memory/1488-135-0x0000000000000000-mapping.dmp
-
memory/3592-136-0x0000000000000000-mapping.dmp