Analysis
-
max time kernel
80s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe
Resource
win7-20220812-en
General
-
Target
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe
-
Size
1.4MB
-
MD5
0f7a27bba78bdee47cb83bbf7c5fe340
-
SHA1
52ca32e52ffd733842ddabeb7244ee7dda46c364
-
SHA256
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52
-
SHA512
351f273603493abfbaef48815c972eb657cfa40d94eb490385673f21dc06d5e6626aa45bb538c1ecc5f47b34e8fbd37ad350c5b27e6556558b5cde8ae1a521c0
-
SSDEEP
24576:1NmF/mnBoDM5f7F2zQRKZk+61i5cCPWZj+VhEgaTpRoqPJgXfMcgHyaN:1YVZo5TczQqk+61i5cYWZjSi3pWKAMcI
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 1360 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 276 icacls.exe 432 takeown.exe -
Loads dropped DLL 1 IoCs
Processes:
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exepid process 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 432 takeown.exe 276 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe File opened for modification C:\Windows\yre.tmp f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exepid process 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 432 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 1360 ms.exe 1360 ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exems.exedescription pid process target process PID 1468 wrote to memory of 1360 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe ms.exe PID 1468 wrote to memory of 1360 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe ms.exe PID 1468 wrote to memory of 1360 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe ms.exe PID 1468 wrote to memory of 1360 1468 f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe ms.exe PID 1360 wrote to memory of 432 1360 ms.exe takeown.exe PID 1360 wrote to memory of 432 1360 ms.exe takeown.exe PID 1360 wrote to memory of 432 1360 ms.exe takeown.exe PID 1360 wrote to memory of 432 1360 ms.exe takeown.exe PID 1360 wrote to memory of 276 1360 ms.exe icacls.exe PID 1360 wrote to memory of 276 1360 ms.exe icacls.exe PID 1360 wrote to memory of 276 1360 ms.exe icacls.exe PID 1360 wrote to memory of 276 1360 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe"C:\Users\Admin\AppData\Local\Temp\f23151487f40e62851daaccfe9238684c96c2fc1f90d636b06a28597e9132a52.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5f9340c487c5b719a74727c7cb1ee5ff4
SHA1027c3cceee84227dc8af4bbe2e5ce3ede9cb98b0
SHA25671865ebd9f9f86c7c8ce0e95a3418e97ad432ee1dbd7b7808b8f1ad50236957b
SHA5123640b413d1baa9eec8e46da15d19eb554dc0a2ef08f2d8882196c57e81ba1107092e290955ce4fe19895f560fa9300a6f4744f927386b6fc80a202b1d1ef975c
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5f9340c487c5b719a74727c7cb1ee5ff4
SHA1027c3cceee84227dc8af4bbe2e5ce3ede9cb98b0
SHA25671865ebd9f9f86c7c8ce0e95a3418e97ad432ee1dbd7b7808b8f1ad50236957b
SHA5123640b413d1baa9eec8e46da15d19eb554dc0a2ef08f2d8882196c57e81ba1107092e290955ce4fe19895f560fa9300a6f4744f927386b6fc80a202b1d1ef975c
-
\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5f9340c487c5b719a74727c7cb1ee5ff4
SHA1027c3cceee84227dc8af4bbe2e5ce3ede9cb98b0
SHA25671865ebd9f9f86c7c8ce0e95a3418e97ad432ee1dbd7b7808b8f1ad50236957b
SHA5123640b413d1baa9eec8e46da15d19eb554dc0a2ef08f2d8882196c57e81ba1107092e290955ce4fe19895f560fa9300a6f4744f927386b6fc80a202b1d1ef975c
-
memory/276-61-0x0000000000000000-mapping.dmp
-
memory/432-60-0x0000000000000000-mapping.dmp
-
memory/1360-56-0x0000000000000000-mapping.dmp
-
memory/1468-54-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB