Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe
Resource
win7-20220901-en
General
-
Target
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe
-
Size
1.5MB
-
MD5
428b12438e19486171dcb1fed5fb0e30
-
SHA1
a889bbd78950a4dc9f9ac9aabe599e65e50b9374
-
SHA256
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a
-
SHA512
354acd1914f01d0781625c052b0a045cd941847d75ffae1134016fcb673c52c24e0080b0cb33c6f3ba36cff6457b3a5fdfbe4b0bdd86c2a331ac251abe8a0404
-
SSDEEP
24576:ENmF/mnBoDM5f7F2iQRKZk+61i5cCPWZj+VhmdO1j+72gJQnpJYT1e1G6wuYYIKT:EYVZo5TciQqk+61i5cYWZjSY8+cnpJYs
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 4532 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3228 takeown.exe 1504 icacls.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3228 takeown.exe 1504 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe File opened for modification C:\Windows\yre.tmp 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exepid process 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3228 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 4532 ms.exe 4532 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exems.exedescription pid process target process PID 4820 wrote to memory of 4532 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 4820 wrote to memory of 4532 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 4820 wrote to memory of 4532 4820 11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe ms.exe PID 4532 wrote to memory of 3228 4532 ms.exe takeown.exe PID 4532 wrote to memory of 3228 4532 ms.exe takeown.exe PID 4532 wrote to memory of 1504 4532 ms.exe icacls.exe PID 4532 wrote to memory of 1504 4532 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe"C:\Users\Admin\AppData\Local\Temp\11ffeec3f4fed5eddb165eeeb7dcc5b90f6d145f6769306de80f953b4204202a.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD502b851dad92c7daf80ba5e676d122308
SHA1d9c6bdca0df939241a24712faa6b25b55e9730ba
SHA256d76f7a5f1c428e0c2b498d37eaeb9c93f4dd0aeee4167d4335f0e8458bdaeef2
SHA5125e2e1f29f53343946058d6c0e433d7c4cf9fe4532f4a6006fd56d09c40ea21ac90324278a85f6f4dc2ba2b5b1fc29551a2cd6629aea5b6fe20f64fd0e2a09434
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD502b851dad92c7daf80ba5e676d122308
SHA1d9c6bdca0df939241a24712faa6b25b55e9730ba
SHA256d76f7a5f1c428e0c2b498d37eaeb9c93f4dd0aeee4167d4335f0e8458bdaeef2
SHA5125e2e1f29f53343946058d6c0e433d7c4cf9fe4532f4a6006fd56d09c40ea21ac90324278a85f6f4dc2ba2b5b1fc29551a2cd6629aea5b6fe20f64fd0e2a09434
-
memory/1504-136-0x0000000000000000-mapping.dmp
-
memory/3228-135-0x0000000000000000-mapping.dmp
-
memory/4532-132-0x0000000000000000-mapping.dmp