Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe
Resource
win7-20221111-en
General
-
Target
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe
-
Size
1.4MB
-
MD5
31c9af44f2f1009d5b9fa4e6e83c7160
-
SHA1
be0d493cc8d8d675da8f23dc1d25f4b8bc0e3e44
-
SHA256
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322
-
SHA512
79533c0f2d6f211b01b9686ff56e1e0d7b29201f7c2152c6c1f1df9aa8621983cea301072ae4c08d06ca0921b6d01f983179dbb1cf6b7c89ddc3f90b94f95606
-
SSDEEP
24576:GNmF/mnBoDM5f7F2DdcclPqVX7TwBTGQOD6N+FrF7MDdhrfkG4QpB/7R3TyLOPyq:GYVZo5TcDB1oAJhrfdPn7R3Tciyq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 2752 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4488 takeown.exe 2744 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 2744 icacls.exe 4488 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe File opened for modification C:\Windows\yre.tmp d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exepid process 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4488 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 2752 ms.exe 2752 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exems.exedescription pid process target process PID 4636 wrote to memory of 2752 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 4636 wrote to memory of 2752 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 4636 wrote to memory of 2752 4636 d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe ms.exe PID 2752 wrote to memory of 4488 2752 ms.exe takeown.exe PID 2752 wrote to memory of 4488 2752 ms.exe takeown.exe PID 2752 wrote to memory of 2744 2752 ms.exe icacls.exe PID 2752 wrote to memory of 2744 2752 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe"C:\Users\Admin\AppData\Local\Temp\d3dbdec031a1f40a34fa74e4bd5481c14662ea75952e405bf3893f32f1430322.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5e6aa7af21c55c35dd7ccb88723c2ba64
SHA1fc196d153dd46333b019482df3ec8fa107bb412a
SHA256f31b06a7848666c2f99f65a793888f45dafe3b5035f15231f1d8875ddec5401e
SHA5129c63de547c1bcc92fb1299218daa284cce1ccd0ada44a4422d6191193842ec143d5c4efff9fe099fa8af79b26a8fc63eeea8850029e927965d91230ce7ecbe7c
-
memory/2744-136-0x0000000000000000-mapping.dmp
-
memory/2752-132-0x0000000000000000-mapping.dmp
-
memory/4488-135-0x0000000000000000-mapping.dmp