Analysis
-
max time kernel
92s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 16:21
Behavioral task
behavioral1
Sample
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe
Resource
win7-20220812-en
General
-
Target
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe
-
Size
350KB
-
MD5
91040f918e84da7c5fc516fb7f00dfb0
-
SHA1
faa91ea6fe580dd9540908ae9b55118b862e3e00
-
SHA256
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7
-
SHA512
47436b8e4698caf6c086d2432c52346fd1f8a0c994f479c6b6be7308726cf9039dd199f4f6c9d1079ac37d6eab5717293dd784178475b34ddd6eaec272c60f30
-
SSDEEP
6144:nyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:n3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exedescription ioc process File created C:\Windows\SysWOW64\drivers\4e010ad4.sys 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe File created C:\Windows\SysWOW64\drivers\32aa3f52.sys 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3132 takeown.exe 3320 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4e010ad4\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\4e010ad4.sys" 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\32aa3f52\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\32aa3f52.sys" 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Processes:
resource yara_rule behavioral2/memory/932-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/932-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/932-139-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3132 takeown.exe 3320 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Drops file in System32 directory 5 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe File created C:\Windows\SysWOW64\goodsb.dll 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe File created C:\Windows\SysWOW64\wshtcpip.dll 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Modifies registry class 4 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe" 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "hHwrU8u.dll" 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exepid process 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exepid process 648 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 648 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exetakeown.exedescription pid process Token: SeDebugPrivilege 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe Token: SeTakeOwnershipPrivilege 3132 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.execmd.exedescription pid process target process PID 932 wrote to memory of 2548 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe cmd.exe PID 932 wrote to memory of 2548 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe cmd.exe PID 932 wrote to memory of 2548 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe cmd.exe PID 2548 wrote to memory of 3132 2548 cmd.exe takeown.exe PID 2548 wrote to memory of 3132 2548 cmd.exe takeown.exe PID 2548 wrote to memory of 3132 2548 cmd.exe takeown.exe PID 2548 wrote to memory of 3320 2548 cmd.exe icacls.exe PID 2548 wrote to memory of 3320 2548 cmd.exe icacls.exe PID 2548 wrote to memory of 3320 2548 cmd.exe icacls.exe PID 932 wrote to memory of 3876 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe cmd.exe PID 932 wrote to memory of 3876 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe cmd.exe PID 932 wrote to memory of 3876 932 861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe"C:\Users\Admin\AppData\Local\Temp\861da9737e373f395a73b6ef91fa496c16759baaee27a66b69dc3a6c4e881ad7.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD51aeb4c0d8a3d17647db6e68619c0b653
SHA141f2ea60972ebd5ff09850dcf7fb04b3d642c84a
SHA25616e21d9ea401cc782d33f5f3a4a9dd992ec33943295ff4fbc181ab194258322c
SHA51236962bd6bb9310fa4436bce66687ad1a5ac7ef096e36fd162dc696a8d0533b820413f6c890b3234ab30184ec325338ec2b48b15e9dd3ee8466552e32be4546e1
-
memory/932-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/932-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/932-139-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/2548-134-0x0000000000000000-mapping.dmp
-
memory/3132-135-0x0000000000000000-mapping.dmp
-
memory/3320-136-0x0000000000000000-mapping.dmp
-
memory/3876-137-0x0000000000000000-mapping.dmp