Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe
Resource
win7-20221111-en
General
-
Target
98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe
-
Size
1.4MB
-
MD5
15967c967ec8dcd276a51017cef884e0
-
SHA1
15b60b02001e03d1c8ccbe295c8e8c9cd6edafbb
-
SHA256
98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d
-
SHA512
b24e185d637c4ec61f8d7f188ac926c8844ed8aa1f2b714870152cf3bb52767916fe562cd74e0289da660379ed4292d1396ad105219b8b0f3c0aa39afa0221a5
-
SSDEEP
24576:nNmF/mnBoDM5f7F2RdcclPqVX7TwBTGQOD6N+FrFtTp3I1gRUfbVx5rLIhkp8TRe:nYVZo5TcRB1oNp4v7L81e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 3624 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2828 takeown.exe 4256 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2828 takeown.exe 4256 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe File opened for modification C:\Windows\yre.tmp 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exepid process 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 2828 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 3624 ms.exe 3624 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exems.exedescription pid process target process PID 2256 wrote to memory of 3624 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe ms.exe PID 2256 wrote to memory of 3624 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe ms.exe PID 2256 wrote to memory of 3624 2256 98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe ms.exe PID 3624 wrote to memory of 2828 3624 ms.exe takeown.exe PID 3624 wrote to memory of 2828 3624 ms.exe takeown.exe PID 3624 wrote to memory of 4256 3624 ms.exe icacls.exe PID 3624 wrote to memory of 4256 3624 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe"C:\Users\Admin\AppData\Local\Temp\98d4dd3a3c9bf4607f07b533cf6b092e426d457a787baa043ac84fd09afc6f6d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a37f6986bc775c44618b3809c558234a
SHA1725ff87dd8c8a45e03dc184545d0867c273284fa
SHA256057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85
SHA512d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5a37f6986bc775c44618b3809c558234a
SHA1725ff87dd8c8a45e03dc184545d0867c273284fa
SHA256057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85
SHA512d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc
-
memory/2828-135-0x0000000000000000-mapping.dmp
-
memory/3624-132-0x0000000000000000-mapping.dmp
-
memory/4256-136-0x0000000000000000-mapping.dmp