2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e

General

Target

2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
Size

1.4MB
MD5

48fcf3f1050b46510289f70675102a40
SHA1

9d532631d9b934070bc7caab50e524c52e3586dc
SHA256

2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e
SHA512

ade6c604b9df8c08f0f668538d9c7d7cabbb641d6eab29d1118c2f31a8ff26832fddd2a2e27ab76161638e9c4e32d5c6006db3e1231d0c64b029d2316dfb66f2
SSDEEP

24576:INmF/mnBoDM5f7F2RdcclPqVX7TwBTGQOD6N+FrFtTp3I1gRUfbVx5rLIhkp8TRu:IYVZo5TcRB1oNp4v7L81u

Score

8^/10

discovery exploit

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ms.exe

pid process

540 ms.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

1608 icacls.exe
300 takeown.exe
Loads dropped DLL 1 IoCs

Processes:

2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe

pid process

2016 2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

300 takeown.exe
1608 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
540	ms.exe

pid	process
1608	icacls.exe
300	takeown.exe

pid	process
300	takeown.exe
1608	icacls.exe

Drops file in Windows directory 2 IoCs

Processes:

2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe

description	ioc	process
File opened for modification	C:\WINDOWS\Bef.tmp	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
File opened for modification	C:\Windows\yre.tmp	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe

pid	process
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

takeown.exe

description pid process

Token: SeTakeOwnershipPrivilege 300 takeown.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ms.exe

pid process

540 ms.exe
540 ms.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	300	takeown.exe

pid	process
540	ms.exe
540	ms.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exems.exe

description	pid	process	target process
PID 2016 wrote to memory of 540	2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe	ms.exe
PID 2016 wrote to memory of 540	2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe	ms.exe
PID 2016 wrote to memory of 540	2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe	ms.exe
PID 2016 wrote to memory of 540	2016	2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe	ms.exe
PID 540 wrote to memory of 300	540	ms.exe	takeown.exe
PID 540 wrote to memory of 300	540	ms.exe	takeown.exe
PID 540 wrote to memory of 300	540	ms.exe	takeown.exe
PID 540 wrote to memory of 300	540	ms.exe	takeown.exe
PID 540 wrote to memory of 1608	540	ms.exe	icacls.exe
PID 540 wrote to memory of 1608	540	ms.exe	icacls.exe
PID 540 wrote to memory of 1608	540	ms.exe	icacls.exe
PID 540 wrote to memory of 1608	540	ms.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe
"C:\Users\Admin\AppData\Local\Temp\2cdffe34c4a8bb1f41b18299d1aea771daf6aed34dc1134d502fd5e655c5464e.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\ms.exe
C:\Users\Admin\AppData\Local\Temp\ms.exe k
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\system32\takeown.exe
takeown /f "C:\WINDOWS\system32\Sens.dll"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\system32\icacls.exe
icacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a37f6986bc775c44618b3809c558234a

SHA1
725ff87dd8c8a45e03dc184545d0867c273284fa

SHA256
057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85

SHA512
d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a37f6986bc775c44618b3809c558234a

SHA1
725ff87dd8c8a45e03dc184545d0867c273284fa

SHA256
057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85

SHA512
d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc

Download Submit
\Users\Admin\AppData\Local\Temp\ms.exe
Filesize
424KB

MD5
a37f6986bc775c44618b3809c558234a

SHA1
725ff87dd8c8a45e03dc184545d0867c273284fa

SHA256
057da3046d0a3c08b7c3da9422b1a983d3f46a4d4a6739f3c2d1e1e1cd2c8e85

SHA512
d1dc31e73eff083799bfb28cd429f8365ee128ddc71ef9bd7f80b01de1b5d8088038fcfc04e2d131d6e6e0252721b5a5ac23e33bf659f8756d401b1021581ccc

Download Submit
memory/300-60-0x0000000000000000-mapping.dmp

Download
memory/540-56-0x0000000000000000-mapping.dmp

Download
memory/1608-61-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads