Analysis
-
max time kernel
157s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe
Resource
win7-20221111-en
General
-
Target
6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe
-
Size
1.4MB
-
MD5
4f00cdbc19ecae13efde48b177ba2eb0
-
SHA1
0963289c7736406d74c62cfa84be17dd8bd9c444
-
SHA256
6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1
-
SHA512
b3a5e20b5ccf827a9fccfe6d36e08363df1892d9210a79ef3badbf921088a521330638c16bbf978db0c90ab9600ba8793a59e9113de7f2615e2e0a0eb26023a2
-
SSDEEP
24576:KNmF/mnBoDM5f7F2fQRKZk+61i5cCPWZj+Vh8H9GSG+VLUx3GHE072:KYVZo5TcfQqk+61i5cYWZjSqHkMLhkS2
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 2780 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4768 takeown.exe 116 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 116 icacls.exe 4768 takeown.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe File opened for modification C:\Windows\yre.tmp 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exepid process 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4768 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 2780 ms.exe 2780 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exems.exedescription pid process target process PID 3368 wrote to memory of 2780 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe ms.exe PID 3368 wrote to memory of 2780 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe ms.exe PID 3368 wrote to memory of 2780 3368 6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe ms.exe PID 2780 wrote to memory of 4768 2780 ms.exe takeown.exe PID 2780 wrote to memory of 4768 2780 ms.exe takeown.exe PID 2780 wrote to memory of 116 2780 ms.exe icacls.exe PID 2780 wrote to memory of 116 2780 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe"C:\Users\Admin\AppData\Local\Temp\6303744cf9efdc3d30fa41596b14a18ad3975661de915ab2173fce7266991ca1.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
memory/116-136-0x0000000000000000-mapping.dmp
-
memory/2780-132-0x0000000000000000-mapping.dmp
-
memory/4768-135-0x0000000000000000-mapping.dmp