Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe
Resource
win7-20220901-en
General
-
Target
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe
-
Size
1.5MB
-
MD5
428b12438e19486171dcb1fed5fb0e30
-
SHA1
a889bbd78950a4dc9f9ac9aabe599e65e50b9374
-
SHA256
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a
-
SHA512
354acd1914f01d0781625c052b0a045cd941847d75ffae1134016fcb673c52c24e0080b0cb33c6f3ba36cff6457b3a5fdfbe4b0bdd86c2a331ac251abe8a0404
-
SSDEEP
24576:ENmF/mnBoDM5f7F2iQRKZk+61i5cCPWZj+VhmdO1j+72gJQnpJYT1e1G6wuYYIKT:EYVZo5TciQqk+61i5cYWZjSY8+cnpJYs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 108 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1668 takeown.exe 1332 icacls.exe -
Loads dropped DLL 1 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exepid process 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1668 takeown.exe 1332 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe File opened for modification C:\Windows\yre.tmp 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exepid process 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1668 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 108 ms.exe 108 ms.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exems.exedescription pid process target process PID 1436 wrote to memory of 108 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 1436 wrote to memory of 108 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 1436 wrote to memory of 108 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 1436 wrote to memory of 108 1436 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 108 wrote to memory of 1668 108 ms.exe takeown.exe PID 108 wrote to memory of 1668 108 ms.exe takeown.exe PID 108 wrote to memory of 1668 108 ms.exe takeown.exe PID 108 wrote to memory of 1668 108 ms.exe takeown.exe PID 108 wrote to memory of 1332 108 ms.exe icacls.exe PID 108 wrote to memory of 1332 108 ms.exe icacls.exe PID 108 wrote to memory of 1332 108 ms.exe icacls.exe PID 108 wrote to memory of 1332 108 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe"C:\Users\Admin\AppData\Local\Temp\11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\system32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Windows\system32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD502b851dad92c7daf80ba5e676d122308
SHA1d9c6bdca0df939241a24712faa6b25b55e9730ba
SHA256d76f7a5f1c428e0c2b498d37eaeb9c93f4dd0aeee4167d4335f0e8458bdaeef2
SHA5125e2e1f29f53343946058d6c0e433d7c4cf9fe4532f4a6006fd56d09c40ea21ac90324278a85f6f4dc2ba2b5b1fc29551a2cd6629aea5b6fe20f64fd0e2a09434
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD502b851dad92c7daf80ba5e676d122308
SHA1d9c6bdca0df939241a24712faa6b25b55e9730ba
SHA256d76f7a5f1c428e0c2b498d37eaeb9c93f4dd0aeee4167d4335f0e8458bdaeef2
SHA5125e2e1f29f53343946058d6c0e433d7c4cf9fe4532f4a6006fd56d09c40ea21ac90324278a85f6f4dc2ba2b5b1fc29551a2cd6629aea5b6fe20f64fd0e2a09434
-
\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD502b851dad92c7daf80ba5e676d122308
SHA1d9c6bdca0df939241a24712faa6b25b55e9730ba
SHA256d76f7a5f1c428e0c2b498d37eaeb9c93f4dd0aeee4167d4335f0e8458bdaeef2
SHA5125e2e1f29f53343946058d6c0e433d7c4cf9fe4532f4a6006fd56d09c40ea21ac90324278a85f6f4dc2ba2b5b1fc29551a2cd6629aea5b6fe20f64fd0e2a09434
-
memory/108-56-0x0000000000000000-mapping.dmp
-
memory/1332-61-0x0000000000000000-mapping.dmp
-
memory/1436-54-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/1668-60-0x0000000000000000-mapping.dmp