Analysis
-
max time kernel
91s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 02:02
Static task
static1
Behavioral task
behavioral1
Sample
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe
Resource
win10v2004-20220901-en
General
-
Target
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe
-
Size
329KB
-
MD5
0690d95426836d60499ad4d35f36c440
-
SHA1
2a54159692e0c6d781ccdcf42fbe20695fa6d7df
-
SHA256
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9
-
SHA512
34e9a52d70fbcbba3c41c94743e02724c6e331b59f03369d7a75b4ab42e5bc63b69bfe7a4f318f0880e78290f8094d9bfab752f7efb185870870ccf2ddd0a18a
-
SSDEEP
6144:nqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:nqjvlA06wLBHAf9eMvHwmVkhL36zYwHh
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exedescription ioc process File created C:\Windows\SysWOW64\drivers\4833b2eb.sys 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 900 takeown.exe 1832 icacls.exe 2724 takeown.exe 1348 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4833b2eb\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\4833b2eb.sys" 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2724 takeown.exe 1348 icacls.exe 900 takeown.exe 1832 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Drops file in System32 directory 4 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe File created C:\Windows\SysWOW64\wshtcpip.dll 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe File created C:\Windows\SysWOW64\midimap.dll 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Modifies registry class 4 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe" 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "Gwhfurit3.dll" 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exepid process 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exepid process 648 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe Token: SeTakeOwnershipPrivilege 2724 takeown.exe Token: SeTakeOwnershipPrivilege 900 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.execmd.execmd.exedescription pid process target process PID 4860 wrote to memory of 1984 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 4860 wrote to memory of 1984 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 4860 wrote to memory of 1984 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 1984 wrote to memory of 2724 1984 cmd.exe takeown.exe PID 1984 wrote to memory of 2724 1984 cmd.exe takeown.exe PID 1984 wrote to memory of 2724 1984 cmd.exe takeown.exe PID 1984 wrote to memory of 1348 1984 cmd.exe icacls.exe PID 1984 wrote to memory of 1348 1984 cmd.exe icacls.exe PID 1984 wrote to memory of 1348 1984 cmd.exe icacls.exe PID 4860 wrote to memory of 656 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 4860 wrote to memory of 656 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 4860 wrote to memory of 656 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 656 wrote to memory of 900 656 cmd.exe takeown.exe PID 656 wrote to memory of 900 656 cmd.exe takeown.exe PID 656 wrote to memory of 900 656 cmd.exe takeown.exe PID 656 wrote to memory of 1832 656 cmd.exe icacls.exe PID 656 wrote to memory of 1832 656 cmd.exe icacls.exe PID 656 wrote to memory of 1832 656 cmd.exe icacls.exe PID 4860 wrote to memory of 1580 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 4860 wrote to memory of 1580 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe PID 4860 wrote to memory of 1580 4860 58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe"C:\Users\Admin\AppData\Local\Temp\58b5f8100e3cc208d45c23520cdd3aac05a89c474d7efa59a1d0c60e961b96c9.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD59eaafe8f94926d4ccc5f506bed53d5c6
SHA1981d86b1d22869ae6582574a6638dd7bd386a098
SHA256721ebfb279c8cca3679ae458901c0264534b4dbd93c2e1ad1fa30dc6961b4b2d
SHA512b1f2c6c0830fcf75c3114ee12af5888953d68f666fea00f09d46233a2c59f6c74bbb1d25865e8cff0884bd488f1833cdfd3a302379a0875dc902d0d5ee4076c0
-
memory/656-139-0x0000000000000000-mapping.dmp
-
memory/900-140-0x0000000000000000-mapping.dmp
-
memory/1348-138-0x0000000000000000-mapping.dmp
-
memory/1580-142-0x0000000000000000-mapping.dmp
-
memory/1832-141-0x0000000000000000-mapping.dmp
-
memory/1984-136-0x0000000000000000-mapping.dmp
-
memory/2724-137-0x0000000000000000-mapping.dmp
-
memory/4860-135-0x0000000000550000-0x0000000000570000-memory.dmpFilesize
128KB
-
memory/4860-132-0x0000000001000000-0x0000000001168000-memory.dmpFilesize
1.4MB
-
memory/4860-134-0x0000000001000000-0x0000000001168000-memory.dmpFilesize
1.4MB
-
memory/4860-143-0x0000000001000000-0x0000000001168000-memory.dmpFilesize
1.4MB
-
memory/4860-133-0x0000000000550000-0x0000000000570000-memory.dmpFilesize
128KB