Analysis
-
max time kernel
93s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2022 23:09
Behavioral task
behavioral1
Sample
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Resource
win7-20220812-en
General
-
Target
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
-
Size
350KB
-
MD5
6ad13c8ceae3c41e26ef06a6e8ad6b10
-
SHA1
c560c593fe899a35257ada608ef1973fdeb03d63
-
SHA256
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a
-
SHA512
384f3634c341c33470c060e93913c89132cfb2ff41c70a53e5b3cdf7a384458fecd5ae2624b187e0dd2c9635155c9cd963aa8168f76ab4d5545f71f98df86a4e
-
SSDEEP
6144:TyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:T3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exedescription ioc process File created C:\Windows\SysWOW64\drivers\2579fe82.sys 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe File created C:\Windows\SysWOW64\drivers\59d2cb04.sys 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4884 takeown.exe 4164 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\2579fe82\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\2579fe82.sys" 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\59d2cb04\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\59d2cb04.sys" 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Processes:
resource yara_rule behavioral2/memory/5060-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/5060-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/5060-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 4164 icacls.exe 4884 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Drops file in System32 directory 5 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exedescription ioc process File created C:\Windows\SysWOW64\goodsb.dll 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe File created C:\Windows\SysWOW64\wshtcpip.dll 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Modifies registry class 4 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe" 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "uu7weABue.dll" 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exepid process 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exepid process 660 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 660 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exetakeown.exedescription pid process Token: SeDebugPrivilege 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe Token: SeTakeOwnershipPrivilege 4884 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.execmd.exedescription pid process target process PID 5060 wrote to memory of 4144 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe cmd.exe PID 5060 wrote to memory of 4144 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe cmd.exe PID 5060 wrote to memory of 4144 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe cmd.exe PID 4144 wrote to memory of 4884 4144 cmd.exe takeown.exe PID 4144 wrote to memory of 4884 4144 cmd.exe takeown.exe PID 4144 wrote to memory of 4884 4144 cmd.exe takeown.exe PID 4144 wrote to memory of 4164 4144 cmd.exe icacls.exe PID 4144 wrote to memory of 4164 4144 cmd.exe icacls.exe PID 4144 wrote to memory of 4164 4144 cmd.exe icacls.exe PID 5060 wrote to memory of 1688 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe cmd.exe PID 5060 wrote to memory of 1688 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe cmd.exe PID 5060 wrote to memory of 1688 5060 23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe"C:\Users\Admin\AppData\Local\Temp\23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5d60c6bc7ea955253d79136a5b44e9591
SHA1a818609f9f0f7881abfb52b0be529c6c6a50ebb9
SHA25624f820e4f0e9e050de0845a76c5c299953c55391b183ea7e801b500ff7c2a9c1
SHA5120162866a56033b07075a2126168e9b0f0935c1f2d9552209daa4352f73ac89c92a8e690e79a37a2e430dd53c4bbcdcb169cca89fb03597611854972785bbc3d7
-
memory/1688-137-0x0000000000000000-mapping.dmp
-
memory/4144-134-0x0000000000000000-mapping.dmp
-
memory/4164-136-0x0000000000000000-mapping.dmp
-
memory/4884-135-0x0000000000000000-mapping.dmp
-
memory/5060-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/5060-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/5060-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB