Analysis
-
max time kernel
91s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 15:24
Behavioral task
behavioral1
Sample
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Resource
win7-20220901-en
General
-
Target
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
-
Size
350KB
-
MD5
4768d8eb4aefce2d20702b267b90a2e0
-
SHA1
5c38fd6af5c6daf07c97691744d6651094bbccbd
-
SHA256
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f
-
SHA512
14175b4a7fd7fba1da669e924e9499b82c2c84c98f01f4d8095a73ce584d47f292aad3e64e6ccd2d230e9fb3b9b68604f46eda700c17fad7923c3c7276d26fcc
-
SSDEEP
6144:YyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:Y3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exedescription ioc process File created C:\Windows\SysWOW64\drivers\0362103f.sys aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe File created C:\Windows\SysWOW64\drivers\7fc925b9.sys aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1484 takeown.exe 1992 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\0362103f\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0362103f.sys" aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\7fc925b9\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7fc925b9.sys" aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Processes:
resource yara_rule behavioral2/memory/5008-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/5008-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/5008-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1484 takeown.exe 1992 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Drops file in System32 directory 5 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe File created C:\Windows\SysWOW64\goodsb.dll aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe File created C:\Windows\SysWOW64\ws2tcpip.dll aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe File created C:\Windows\SysWOW64\wshtcpip.dll aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Modifies registry class 4 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe" aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "qsadwaq.dll" aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exepid process 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exepid process 656 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 656 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exetakeown.exedescription pid process Token: SeDebugPrivilege 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe Token: SeTakeOwnershipPrivilege 1484 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.execmd.exedescription pid process target process PID 5008 wrote to memory of 764 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe cmd.exe PID 5008 wrote to memory of 764 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe cmd.exe PID 5008 wrote to memory of 764 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe cmd.exe PID 764 wrote to memory of 1484 764 cmd.exe takeown.exe PID 764 wrote to memory of 1484 764 cmd.exe takeown.exe PID 764 wrote to memory of 1484 764 cmd.exe takeown.exe PID 764 wrote to memory of 1992 764 cmd.exe icacls.exe PID 764 wrote to memory of 1992 764 cmd.exe icacls.exe PID 764 wrote to memory of 1992 764 cmd.exe icacls.exe PID 5008 wrote to memory of 2696 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe cmd.exe PID 5008 wrote to memory of 2696 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe cmd.exe PID 5008 wrote to memory of 2696 5008 aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe"C:\Users\Admin\AppData\Local\Temp\aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD58047b8c153bd5cbf722d165423c140fb
SHA1b730b1bf09af0ea6916f6733500d44429e627efe
SHA256253a85ca707288d2db23cc377a1ae43f299c288a3b51e04e3df23e519251a5e9
SHA5121e2babdcc9ebd1231801a084ab262b19bfb699896d1f8fc5e819dc1452e7e88bcc2db7a6f1d1f57bc212a0d79acca6171dd0020fd1bf855d5037524ed8428b9b
-
memory/764-134-0x0000000000000000-mapping.dmp
-
memory/1484-135-0x0000000000000000-mapping.dmp
-
memory/1992-136-0x0000000000000000-mapping.dmp
-
memory/2696-137-0x0000000000000000-mapping.dmp
-
memory/5008-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/5008-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/5008-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB