Analysis
-
max time kernel
124s -
max time network
84s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-10-2022 15:24
Behavioral task
behavioral1
Sample
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe
Resource
win7-20220812-en
General
-
Target
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe
-
Size
350KB
-
MD5
7ba6f61c9744c9dd49c16b134b2d9690
-
SHA1
88902c863f6de3a4acf1f0af0236adca42e429b7
-
SHA256
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d
-
SHA512
9e1bf324f9bfcf5c835ffe6119b01aa7adae4bc593536b9f5454aa8965e7f5e5ee5d10d44ed4eb478bc2a66ea2e2e54a3e5df23ebb33f2348fb90f2e23469903
-
SSDEEP
6144:oyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:o3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exedescription ioc process File created C:\Windows\SysWOW64\drivers\69ec8f6d.sys da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe File created C:\Windows\SysWOW64\drivers\1547baeb.sys da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1356 takeown.exe 1840 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\69ec8f6d\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\69ec8f6d.sys" da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1547baeb\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1547baeb.sys" da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Processes:
resource yara_rule behavioral1/memory/828-55-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral1/memory/828-60-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 680 cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
icacls.exetakeown.exepid process 1840 icacls.exe 1356 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Drops file in System32 directory 5 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe File created C:\Windows\SysWOW64\wshtcpip.dll da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe File created C:\Windows\SysWOW64\goodsb.dll da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Modifies registry class 4 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe" da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "h7yeeuu7.dll" da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exepid process 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exepid process 464 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 464 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exetakeown.exedescription pid process Token: SeDebugPrivilege 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe Token: SeTakeOwnershipPrivilege 1356 takeown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.execmd.exedescription pid process target process PID 828 wrote to memory of 976 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 828 wrote to memory of 976 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 828 wrote to memory of 976 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 828 wrote to memory of 976 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 976 wrote to memory of 1356 976 cmd.exe takeown.exe PID 976 wrote to memory of 1356 976 cmd.exe takeown.exe PID 976 wrote to memory of 1356 976 cmd.exe takeown.exe PID 976 wrote to memory of 1356 976 cmd.exe takeown.exe PID 976 wrote to memory of 1840 976 cmd.exe icacls.exe PID 976 wrote to memory of 1840 976 cmd.exe icacls.exe PID 976 wrote to memory of 1840 976 cmd.exe icacls.exe PID 976 wrote to memory of 1840 976 cmd.exe icacls.exe PID 828 wrote to memory of 680 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 828 wrote to memory of 680 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 828 wrote to memory of 680 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe PID 828 wrote to memory of 680 828 da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe"C:\Users\Admin\AppData\Local\Temp\da594b709134777845c7cd30069ce42538594a02026b3f6a751617b746cce07d.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5f4aa3e62f21cd8afe36e4247cfdc6000
SHA13cc98ccc75f35c98418fb0a5f17df97ac5dde29c
SHA25633976eb73712c3deb6bcff8ab57fc4c5f377d4b50e4e3a55b76fc0c1d93d9825
SHA512d6a3aa8beb9a047deeff9586ee36844b992b2f8efb803d911e735b78a07ef41e0139d86e8ed8a86c26cfb64a9768c8eaa03246682de15827822c7380917f97ad
-
memory/680-59-0x0000000000000000-mapping.dmp
-
memory/828-54-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/828-55-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/828-60-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/976-56-0x0000000000000000-mapping.dmp
-
memory/1356-57-0x0000000000000000-mapping.dmp
-
memory/1840-58-0x0000000000000000-mapping.dmp