Analysis
-
max time kernel
143s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2022 16:51
Behavioral task
behavioral1
Sample
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe
Resource
win7-20220812-en
General
-
Target
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe
-
Size
350KB
-
MD5
80fdd5e3fdfaba98ced681a84eb78d60
-
SHA1
7ae5391c4fd0c115c668a6341dbf60bd67d544e6
-
SHA256
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0
-
SHA512
54c2a81a507b088fd9d55b213fac39bf9fb8cdd4dc0329fb31962ff5712db97e4356e1cdeab3fdda29da8fcdabbd0e5f8de533698d149f1a14f76fbc6b959476
-
SSDEEP
6144:XyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:X3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exedescription ioc process File created C:\Windows\SysWOW64\drivers\623ee6d5.sys 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe File created C:\Windows\SysWOW64\drivers\1e95d353.sys 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 1504 icacls.exe 4560 takeown.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\623ee6d5\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\623ee6d5.sys" 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\1e95d353\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1e95d353.sys" 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Processes:
resource yara_rule behavioral2/memory/1276-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/1276-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/1276-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4560 takeown.exe 1504 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Drops file in System32 directory 5 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe File created C:\Windows\SysWOW64\goodsb.dll 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Modifies registry class 4 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe" 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "uis8.dll" 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exepid process 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exepid process 664 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 664 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exetakeown.exedescription pid process Token: SeDebugPrivilege 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe Token: SeTakeOwnershipPrivilege 4560 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.execmd.exedescription pid process target process PID 1276 wrote to memory of 4124 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe cmd.exe PID 1276 wrote to memory of 4124 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe cmd.exe PID 1276 wrote to memory of 4124 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe cmd.exe PID 4124 wrote to memory of 4560 4124 cmd.exe takeown.exe PID 4124 wrote to memory of 4560 4124 cmd.exe takeown.exe PID 4124 wrote to memory of 4560 4124 cmd.exe takeown.exe PID 4124 wrote to memory of 1504 4124 cmd.exe icacls.exe PID 4124 wrote to memory of 1504 4124 cmd.exe icacls.exe PID 4124 wrote to memory of 1504 4124 cmd.exe icacls.exe PID 1276 wrote to memory of 1964 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe cmd.exe PID 1276 wrote to memory of 1964 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe cmd.exe PID 1276 wrote to memory of 1964 1276 3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe"C:\Users\Admin\AppData\Local\Temp\3a42ce62dc71201bb0b8ee51bcae0504d98914c5ac78fddc733c97cb9a827fc0.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5f11b6a7c240583f4c5f5a6bf305faba8
SHA19d0f08bf31da8a594017a8b100388a2427943d9a
SHA256dfac64e662905004204ae16fac6685d314cd61a5b4238bed72e3ef7a04d653c8
SHA512d8897ebe26f2fbb7ee24a306dfd66cb477f9371cc7dfab11b8918016ec4c17f2d6e06b990e4e13e9c0822b3b4d4b3626de5b7894465379e6c798a370220d9b1f
-
memory/1276-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1276-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1276-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1504-136-0x0000000000000000-mapping.dmp
-
memory/1964-137-0x0000000000000000-mapping.dmp
-
memory/4124-134-0x0000000000000000-mapping.dmp
-
memory/4560-135-0x0000000000000000-mapping.dmp