Analysis
-
max time kernel
157s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 23:09
Behavioral task
behavioral1
Sample
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe
Resource
win7-20220901-en
General
-
Target
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe
-
Size
350KB
-
MD5
6e6cab08847326da2b45c05f92a7d150
-
SHA1
316b316351910d02a3a1faacc561d4bab600bac0
-
SHA256
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972
-
SHA512
8c8388e9bed8cacf8a672b38b856f9e1e24061b0a20b6e293915ea9952ebd676ea97c452b5fde90a42e50d3954914a4ec61c00d47bde4fa3bbdb03326cdeff00
-
SSDEEP
6144:oyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:o3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exedescription ioc process File created C:\Windows\SysWOW64\drivers\33472e04.sys f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe File created C:\Windows\SysWOW64\drivers\4fec1b82.sys f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 228 takeown.exe 5044 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\33472e04\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\33472e04.sys" f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4fec1b82\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\4fec1b82.sys" f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Processes:
resource yara_rule behavioral2/memory/4176-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4176-137-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 228 takeown.exe 5044 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Drops file in System32 directory 5 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe File created C:\Windows\SysWOW64\wshtcpip.dll f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe File created C:\Windows\SysWOW64\goodsb.dll f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Modifies registry class 4 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe" f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "Fqfw.dll" f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exepid process 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exepid process 660 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 660 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exetakeown.exedescription pid process Token: SeDebugPrivilege 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe Token: SeTakeOwnershipPrivilege 228 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.execmd.exedescription pid process target process PID 4176 wrote to memory of 4200 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe cmd.exe PID 4176 wrote to memory of 4200 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe cmd.exe PID 4176 wrote to memory of 4200 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe cmd.exe PID 4200 wrote to memory of 228 4200 cmd.exe takeown.exe PID 4200 wrote to memory of 228 4200 cmd.exe takeown.exe PID 4200 wrote to memory of 228 4200 cmd.exe takeown.exe PID 4200 wrote to memory of 5044 4200 cmd.exe icacls.exe PID 4200 wrote to memory of 5044 4200 cmd.exe icacls.exe PID 4200 wrote to memory of 5044 4200 cmd.exe icacls.exe PID 4176 wrote to memory of 1500 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe cmd.exe PID 4176 wrote to memory of 1500 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe cmd.exe PID 4176 wrote to memory of 1500 4176 f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe"C:\Users\Admin\AppData\Local\Temp\f33ba83b791e93de63f6bcd2a96366e66c1ff9a4ae9d90eef8dc06307ad46972.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD54b2860d3344b5d23cc88f405cdc1c880
SHA130304e23db627527e47f5afd04745b1e98cf103e
SHA25607973b6c4bda7ad8a2fb271c9d3573eed7c88f022a5a64621ae2d1a627385b75
SHA512279b4c7e0f953764904f47915c6d7ee6320d933da538e40de0459200d70943df21f35b798675d4a76d1d8f29448e954d4b88e9d5304c98dbc279870ebe8ffe80
-
memory/228-134-0x0000000000000000-mapping.dmp
-
memory/1500-136-0x0000000000000000-mapping.dmp
-
memory/4176-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4176-137-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4200-133-0x0000000000000000-mapping.dmp
-
memory/5044-135-0x0000000000000000-mapping.dmp