Analysis
-
max time kernel
155s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 23:09
Behavioral task
behavioral1
Sample
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe
Resource
win7-20220812-en
General
-
Target
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe
-
Size
350KB
-
MD5
7213d35b76127d8520d6951fcb421bd0
-
SHA1
ebef16e23b72684aa6524602d7e5e6caa12a9c5f
-
SHA256
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735
-
SHA512
8766dd9e677e556fa7db9626c2f02c61d0a6d432d32fa97a277fe9887da5146c51fae502535d986316651148df96cd1c5d6abd22029c2f8e9a0b2380c078a98a
-
SSDEEP
6144:VyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:V3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exedescription ioc process File created C:\Windows\SysWOW64\drivers\7c36ea1e.sys c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe File created C:\Windows\SysWOW64\drivers\009ddf98.sys c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2180 takeown.exe 3228 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\7c36ea1e\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7c36ea1e.sys" c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\009ddf98\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\009ddf98.sys" c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Processes:
resource yara_rule behavioral2/memory/2800-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/2800-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2180 takeown.exe 3228 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Drops file in System32 directory 5 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe File created C:\Windows\SysWOW64\goodsb.dll c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe File created C:\Windows\SysWOW64\ws2tcpip.dll c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Modifies registry class 4 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe" c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "Hh86F.dll" c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exepid process 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exepid process 648 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 648 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exetakeown.exedescription pid process Token: SeDebugPrivilege 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe Token: SeTakeOwnershipPrivilege 2180 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.execmd.exedescription pid process target process PID 2800 wrote to memory of 2324 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe cmd.exe PID 2800 wrote to memory of 2324 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe cmd.exe PID 2800 wrote to memory of 2324 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe cmd.exe PID 2324 wrote to memory of 2180 2324 cmd.exe takeown.exe PID 2324 wrote to memory of 2180 2324 cmd.exe takeown.exe PID 2324 wrote to memory of 2180 2324 cmd.exe takeown.exe PID 2324 wrote to memory of 3228 2324 cmd.exe icacls.exe PID 2324 wrote to memory of 3228 2324 cmd.exe icacls.exe PID 2324 wrote to memory of 3228 2324 cmd.exe icacls.exe PID 2800 wrote to memory of 4084 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe cmd.exe PID 2800 wrote to memory of 4084 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe cmd.exe PID 2800 wrote to memory of 4084 2800 c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe"C:\Users\Admin\AppData\Local\Temp\c066624d6a2397481ad417ff582f874b84ad6094114cb7a4fafa38cddd5e6735.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5cd4f9c9d95d552151d9120ecf10f5ea0
SHA19fcf873b099b6d3fa99a6187cbf2d93792c55d0d
SHA2565c1b60f824779b3700cc06f47be29f75eafe395a4baa80586558a2c42759c808
SHA5125fb70306c8bf38e3208e50c98ce0ccd0c57cf20011f3c17dae43ef67d6c3ce887dec2f273be8b6157b05c3424842f13c8772b9ecb93328fbcaaa591e23bcba3a
-
memory/2180-134-0x0000000000000000-mapping.dmp
-
memory/2324-133-0x0000000000000000-mapping.dmp
-
memory/2800-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/2800-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/3228-135-0x0000000000000000-mapping.dmp
-
memory/4084-136-0x0000000000000000-mapping.dmp