Analysis
-
max time kernel
87s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 23:29
Behavioral task
behavioral1
Sample
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe
Resource
win7-20220812-en
General
-
Target
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe
-
Size
350KB
-
MD5
6baf0922d48529fad95218201e47dc00
-
SHA1
959a4ca7973eb518e45cdca1d65344a6fad65085
-
SHA256
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f
-
SHA512
f608f682a651353ee28ef34ca41bea0d94538966a273bb8659ed2e58a678a26a641ef12b35f013d7a9b34bcb0e468454df158896623e139bc502a668cb51ca56
-
SSDEEP
6144:hyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:h3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process File created C:\Windows\SysWOW64\drivers\5c2c6a31.sys 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\drivers\20875fb7.sys 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1912 takeown.exe 944 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\20875fb7\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\20875fb7.sys" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\5c2c6a31\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5c2c6a31.sys" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Processes:
resource yara_rule behavioral1/memory/1080-55-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral1/memory/1080-56-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral1/memory/1080-61-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1636 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1912 takeown.exe 944 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Drops file in System32 directory 5 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\goodsb.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\wshtcpip.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Modifies registry class 4 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "ejDiwR.dll" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exepid process 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exepid process 460 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 460 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exetakeown.exedescription pid process Token: SeDebugPrivilege 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Token: SeTakeOwnershipPrivilege 1912 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.execmd.exedescription pid process target process PID 1080 wrote to memory of 792 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 1080 wrote to memory of 792 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 1080 wrote to memory of 792 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 1080 wrote to memory of 792 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 792 wrote to memory of 1912 792 cmd.exe takeown.exe PID 792 wrote to memory of 1912 792 cmd.exe takeown.exe PID 792 wrote to memory of 1912 792 cmd.exe takeown.exe PID 792 wrote to memory of 1912 792 cmd.exe takeown.exe PID 792 wrote to memory of 944 792 cmd.exe icacls.exe PID 792 wrote to memory of 944 792 cmd.exe icacls.exe PID 792 wrote to memory of 944 792 cmd.exe icacls.exe PID 792 wrote to memory of 944 792 cmd.exe icacls.exe PID 1080 wrote to memory of 1636 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 1080 wrote to memory of 1636 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 1080 wrote to memory of 1636 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 1080 wrote to memory of 1636 1080 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe"C:\Users\Admin\AppData\Local\Temp\56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5b4743827e81802cba319c1c2d0fbdc08
SHA108ae1fd1acebb1195f2b3bf210e81886d600fa6c
SHA2561609cde739aee45548d8335b67ce4a0f154fa95a9fe48d86817ab2f35e6468f9
SHA5128caac5da105a0fd5a637056c3baaf61913c68e8c2d066bceeec804fc697db6d49af30d0547197944b418c226ca259d4ea629a13e36c631469b6a436955a1e713
-
memory/792-57-0x0000000000000000-mapping.dmp
-
memory/944-59-0x0000000000000000-mapping.dmp
-
memory/1080-54-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1080-55-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1080-56-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1080-61-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1636-60-0x0000000000000000-mapping.dmp
-
memory/1912-58-0x0000000000000000-mapping.dmp