Analysis
-
max time kernel
91s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 05:30
Static task
static1
Behavioral task
behavioral1
Sample
0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe
Resource
win7-20220812-en
General
-
Target
0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe
-
Size
1.4MB
-
MD5
344e0bd90f6dab2a3235ee8ee7c89d50
-
SHA1
73ede8ce0a525d3fa3b92db5e3b0a3853c877a7c
-
SHA256
0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d
-
SHA512
69df776059055dd2db708820f2ce613063e05b8901d771e6661de17f7c99b8603a063dca6532929ab34aed86bf477aca75e35e57ece3243683e2a65263fc760e
-
SSDEEP
24576:6NmF/mnBoDM5f7F2hQHhToIzdF9s8kwWcMXixJH9GSG+VLUx3GHE07N:6YVZo5TchQBvj9tWXaJHkMLhkSN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ms.exepid process 336 ms.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 4756 icacls.exe 212 takeown.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 212 takeown.exe 4756 icacls.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 2 IoCs
Processes:
0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exedescription ioc process File opened for modification C:\WINDOWS\Bef.tmp 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe File opened for modification C:\Windows\yre.tmp 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exepid process 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
takeown.exedescription pid process Token: SeTakeOwnershipPrivilege 212 takeown.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ms.exepid process 336 ms.exe 336 ms.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exems.exedescription pid process target process PID 4372 wrote to memory of 336 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe ms.exe PID 4372 wrote to memory of 336 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe ms.exe PID 4372 wrote to memory of 336 4372 0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe ms.exe PID 336 wrote to memory of 212 336 ms.exe takeown.exe PID 336 wrote to memory of 212 336 ms.exe takeown.exe PID 336 wrote to memory of 4756 336 ms.exe icacls.exe PID 336 wrote to memory of 4756 336 ms.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe"C:\Users\Admin\AppData\Local\Temp\0ea8e2e648a6a4d1df10efc933866ab260f2d646ea16a758bb6b734d275f5f2d.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Users\Admin\AppData\Local\Temp\ms.exeC:\Users\Admin\AppData\Local\Temp\ms.exe k2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SYSTEM32\takeown.exetakeown /f "C:\WINDOWS\system32\Sens.dll"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SYSTEM32\icacls.exeicacls "C:\WINDOWS\system32\Sens.dll" /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
C:\Users\Admin\AppData\Local\Temp\ms.exeFilesize
424KB
MD5224ee144eb388979711b9c37411418c4
SHA14537031b414f1ce14182076996d72aaf710710be
SHA256d51dfedf88f777136ce1fcbba8c82e11440cf91d1baa278727f708d5c90f1253
SHA512cecc6f7ab9a61db2fdd5c6d1df2b24920f960968ff7318d4fa5da5d20bbdab023a5d8a8f5ca5f19f87d48cb15c4fb373dde0fef724f0b2fca208954894c3780d
-
memory/212-135-0x0000000000000000-mapping.dmp
-
memory/336-132-0x0000000000000000-mapping.dmp
-
memory/4756-136-0x0000000000000000-mapping.dmp