Analysis
-
max time kernel
123s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 23:29
Behavioral task
behavioral1
Sample
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe
Resource
win7-20220812-en
General
-
Target
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe
-
Size
350KB
-
MD5
6baf0922d48529fad95218201e47dc00
-
SHA1
959a4ca7973eb518e45cdca1d65344a6fad65085
-
SHA256
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f
-
SHA512
f608f682a651353ee28ef34ca41bea0d94538966a273bb8659ed2e58a678a26a641ef12b35f013d7a9b34bcb0e468454df158896623e139bc502a668cb51ca56
-
SSDEEP
6144:hyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:h3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process File created C:\Windows\SysWOW64\drivers\4f99770d.sys 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\drivers\3332428b.sys 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3588 takeown.exe 3304 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3332428b\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\3332428b.sys" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4f99770d\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\4f99770d.sys" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Processes:
resource yara_rule behavioral2/memory/4912-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4912-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4912-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3588 takeown.exe 3304 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Drops file in System32 directory 5 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\goodsb.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe File created C:\Windows\SysWOW64\wshtcpip.dll 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Modifies registry class 4 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "u6ru.dll" 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exepid process 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exepid process 668 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 668 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exetakeown.exedescription pid process Token: SeDebugPrivilege 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe Token: SeTakeOwnershipPrivilege 3588 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.execmd.exedescription pid process target process PID 4912 wrote to memory of 5036 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 4912 wrote to memory of 5036 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 4912 wrote to memory of 5036 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 5036 wrote to memory of 3588 5036 cmd.exe takeown.exe PID 5036 wrote to memory of 3588 5036 cmd.exe takeown.exe PID 5036 wrote to memory of 3588 5036 cmd.exe takeown.exe PID 5036 wrote to memory of 3304 5036 cmd.exe icacls.exe PID 5036 wrote to memory of 3304 5036 cmd.exe icacls.exe PID 5036 wrote to memory of 3304 5036 cmd.exe icacls.exe PID 4912 wrote to memory of 944 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 4912 wrote to memory of 944 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe PID 4912 wrote to memory of 944 4912 56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe"C:\Users\Admin\AppData\Local\Temp\56e1b4b56599a29bf73d3065c591a126d3554665da3d57acfe534d9bbc63c31f.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5b4743827e81802cba319c1c2d0fbdc08
SHA108ae1fd1acebb1195f2b3bf210e81886d600fa6c
SHA2561609cde739aee45548d8335b67ce4a0f154fa95a9fe48d86817ab2f35e6468f9
SHA5128caac5da105a0fd5a637056c3baaf61913c68e8c2d066bceeec804fc697db6d49af30d0547197944b418c226ca259d4ea629a13e36c631469b6a436955a1e713
-
memory/944-137-0x0000000000000000-mapping.dmp
-
memory/3304-136-0x0000000000000000-mapping.dmp
-
memory/3588-135-0x0000000000000000-mapping.dmp
-
memory/4912-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4912-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4912-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/5036-134-0x0000000000000000-mapping.dmp