df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192

General

Target

df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
Size

1.4MB
MD5

092c196c5dfdb37ab08099628a84c1f0
SHA1

86bec33d43b4bb96f94e8574ae17059660648257
SHA256

df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192
SHA512

5290ad82eb4e7bf19de935dc6b55282b68f753cd43c5a8983182b4ab1dde4dced688cf7ca43437dd5b3bf5d1222d26e57a0540655428a3e19dfbb67b3103de62
SSDEEP

24576:eNmF/mnBoDM5f7F2/3ghdtdCczlEh7ThXBz2wB/MSe2Tp3I1gRUfbVx5rLIhkp8l:eYVZo5Tc/3g1XGh7VRz51ne0p4v7L81f

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ms.exe

pid process

620 ms.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

764 takeown.exe
1296 icacls.exe
Loads dropped DLL 1 IoCs

Processes:

df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe

pid process

944 df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

764 takeown.exe
1296 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
620	ms.exe

pid	process
764	takeown.exe
1296	icacls.exe

pid	process
764	takeown.exe
1296	icacls.exe

Drops file in Windows directory 2 IoCs

Processes:

df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Bef.tmp	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
File opened for modification	C:\Windows\yre.tmp	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe

pid	process
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 764 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ms.exe

pid process

620 ms.exe
620 ms.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	764	takeown.exe

pid	process
620	ms.exe
620	ms.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exems.exe

description	pid	process	target process
PID 944 wrote to memory of 620	944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe	ms.exe
PID 944 wrote to memory of 620	944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe	ms.exe
PID 944 wrote to memory of 620	944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe	ms.exe
PID 944 wrote to memory of 620	944	df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe	ms.exe
PID 620 wrote to memory of 764	620	ms.exe	takeown.exe
PID 620 wrote to memory of 764	620	ms.exe	takeown.exe
PID 620 wrote to memory of 764	620	ms.exe	takeown.exe
PID 620 wrote to memory of 764	620	ms.exe	takeown.exe
PID 620 wrote to memory of 1296	620	ms.exe	icacls.exe
PID 620 wrote to memory of 1296	620	ms.exe	icacls.exe
PID 620 wrote to memory of 1296	620	ms.exe	icacls.exe
PID 620 wrote to memory of 1296	620	ms.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe
"C:\Users\Admin\AppData\Local\Temp\df22e96bb7574da5c88a4bac2dbdca67542f8fb4ad944266d1ddff2d141af192.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944

C:\Users\Admin\AppData\Local\Temp\ms.exe
C:\Users\Admin\AppData\Local\Temp\ms.exe k
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\takeown.exe
takeown /f "C:\WINDOWS\system32\Sens.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\icacls.exe
icacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a37f6986bc775c44618b3809c558234a

SHA1
725ff87dd8c8a45e03dc184545d0867c273284fa

SHA256
057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85

SHA512
d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a37f6986bc775c44618b3809c558234a

SHA1
725ff87dd8c8a45e03dc184545d0867c273284fa

SHA256
057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85

SHA512
d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc

Download Submit
\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a37f6986bc775c44618b3809c558234a

SHA1
725ff87dd8c8a45e03dc184545d0867c273284fa

SHA256
057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85

SHA512
d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc

Download Submit
memory/620-56-0x0000000000000000-mapping.dmp

Download
memory/764-60-0x0000000000000000-mapping.dmp

Download
memory/944-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1296-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads