Analysis
-
max time kernel
58s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe
Resource
win7-20221111-en
General
-
Target
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe
-
Size
1.4MB
-
MD5
31c9af44f2f1009d5b9fa4e6e83c7160
-
SHA1
be0d493cc8d8d675da8f23dc1d25f4b8bc0e3e44
-
SHA256
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322
-
SHA512
79533c0f2d6f211b01b9686ff56e1e0d7b29201f7c2152c6c1f1df9aa8621983cea301072ae4c08d06ca0921b6d01f983179dbb1cf6b7c89ddc3f90b94f95606
-
SSDEEP
24576:GNmF/mnBoDM5f7F2DdcclPqVX7TwBTGQOD6N+FrF7MDdhrfkG4QpB/7R3TyLOPyq:GYVZo5TcDB1oAJhrfdPn7R3Tciyq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 1432 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1108 takeown.exe 1560 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exepid process 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 1560 icacls.exe 1108 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe File opened for modification C:\Windows\yre.tmp d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exepid process 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1108 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 1432 ms.exe 1432 ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exems.exedescription pid process target process PID 1752 wrote to memory of 1432 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 1752 wrote to memory of 1432 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 1752 wrote to memory of 1432 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 1752 wrote to memory of 1432 1752 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 1432 wrote to memory of 1108 1432 ms.exe takeown.exe PID 1432 wrote to memory of 1108 1432 ms.exe takeown.exe PID 1432 wrote to memory of 1108 1432 ms.exe takeown.exe PID 1432 wrote to memory of 1108 1432 ms.exe takeown.exe PID 1432 wrote to memory of 1560 1432 ms.exe icacls.exe PID 1432 wrote to memory of 1560 1432 ms.exe icacls.exe PID 1432 wrote to memory of 1560 1432 ms.exe icacls.exe PID 1432 wrote to memory of 1560 1432 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe"C:\Users\Admin\AppData\Local\Temp\d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
memory/1108-60-0x0000000000000000-mapping.dmp
-
memory/1432-56-0x0000000000000000-mapping.dmp
-
memory/1560-61-0x0000000000000000-mapping.dmp
-
memory/1752-54-0x0000000075C41000-0x0000000075C43000-memory.dmpFilesize
8KB