Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-11-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe
Resource
win7-20220812-en
General
-
Target
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe
-
Size
1.4MB
-
MD5
168be9deb1d210efdde5bfc4b6d59390
-
SHA1
e51d8f94916c8abb75a647e52078fc6c7a96d1f3
-
SHA256
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941
-
SHA512
d1f05d64ea017ae00e7491a7f413c168d7978b315dffca4d5db3129adfdc8e03a126abb9cb714dc3e9cc3d76add0bb954751d3f8638a1b751b3c6f744d05f173
-
SSDEEP
24576:gNmF/mnBoDM5f7F2hQHhToIzdF9s8kwWcMXixJH9GSG+VLUx3GHE07y:gYVZo5TchQBvj9tWXaJHkMLhkSy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 1012 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1860 takeown.exe 1540 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exepid process 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1860 takeown.exe 1540 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe File opened for modification C:\Windows\yre.tmp 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exepid process 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1860 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 1012 ms.exe 1012 ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exems.exedescription pid process target process PID 1976 wrote to memory of 1012 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe ms.exe PID 1976 wrote to memory of 1012 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe ms.exe PID 1976 wrote to memory of 1012 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe ms.exe PID 1976 wrote to memory of 1012 1976 68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe ms.exe PID 1012 wrote to memory of 1860 1012 ms.exe takeown.exe PID 1012 wrote to memory of 1860 1012 ms.exe takeown.exe PID 1012 wrote to memory of 1860 1012 ms.exe takeown.exe PID 1012 wrote to memory of 1860 1012 ms.exe takeown.exe PID 1012 wrote to memory of 1540 1012 ms.exe icacls.exe PID 1012 wrote to memory of 1540 1012 ms.exe icacls.exe PID 1012 wrote to memory of 1540 1012 ms.exe icacls.exe PID 1012 wrote to memory of 1540 1012 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe"C:\Users\Admin\AppData\Local\Temp\68a44ed5098a490f95171306358983800be319f5381424be7fb7441508afe941.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
memory/1012-56-0x0000000000000000-mapping.dmp
-
memory/1540-61-0x0000000000000000-mapping.dmp
-
memory/1860-60-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB