Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-10-2022 12:45
Static task
static1
Behavioral task
behavioral1
Sample
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Resource
win10v2004-20220901-en
General
-
Target
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
-
Size
1.3MB
-
MD5
ef47687cddafd1fb06d3705b3409a52e
-
SHA1
5c3c7ed3705205c38cf2a12a1ccc9a4e394da1ee
-
SHA256
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968
-
SHA512
b178465e17738f9489fc75bd5d5866de361bd88182bf214066884fa3e9d7a83ec40b7d4b9ba063d6668c0ae86e22d4385ad51994116c414651434a4225eb5100
-
SSDEEP
24576:u7Djpcup0fXIXSxJxqW6ZvNrryeq7Xr8N9bb3DFsH:uzmupI9xJEWstyewkb7ZsH
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
e56ccf9.exedescription ioc process File created C:\Windows\SysWOW64\drivers\35bf84a2.sys e56ccf9.exe -
Executes dropped EXE 3 IoCs
Processes:
e56cb44.tmpe7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exee56ccf9.exepid process 5012 e56cb44.tmp 4260 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe 4548 e56ccf9.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1732 takeown.exe 5056 icacls.exe 1156 takeown.exe 4676 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
e56ccf9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\35bf84a2\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\35bf84a2.sys" e56ccf9.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 5056 icacls.exe 1156 takeown.exe 4676 icacls.exe 1732 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
e56ccf9.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} e56ccf9.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects e56ccf9.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} e56ccf9.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
e56ccf9.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum e56ccf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e56ccf9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum e56ccf9.exe -
Drops file in System32 directory 4 IoCs
Processes:
e56ccf9.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll e56ccf9.exe File created C:\Windows\SysWOW64\midimap.dll e56ccf9.exe File created C:\Windows\SysWOW64\ws2tcpip.dll e56ccf9.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll e56ccf9.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe -
Modifies registry class 4 IoCs
Processes:
e56ccf9.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID e56ccf9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e56ccf9.exe" e56ccf9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL e56ccf9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "7ywi.dll" e56ccf9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e56ccf9.exepid process 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe 4548 e56ccf9.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
e56ccf9.exepid process 644 4548 e56ccf9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e56ccf9.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 4548 e56ccf9.exe Token: SeTakeOwnershipPrivilege 1732 takeown.exe Token: SeTakeOwnershipPrivilege 1156 takeown.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exee56cb44.tmpe56ccf9.execmd.execmd.exedescription pid process target process PID 4940 wrote to memory of 5012 4940 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe e56cb44.tmp PID 4940 wrote to memory of 5012 4940 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe e56cb44.tmp PID 4940 wrote to memory of 5012 4940 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe e56cb44.tmp PID 5012 wrote to memory of 4260 5012 e56cb44.tmp e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe PID 5012 wrote to memory of 4260 5012 e56cb44.tmp e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe PID 5012 wrote to memory of 4260 5012 e56cb44.tmp e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe PID 5012 wrote to memory of 4548 5012 e56cb44.tmp e56ccf9.exe PID 5012 wrote to memory of 4548 5012 e56cb44.tmp e56ccf9.exe PID 5012 wrote to memory of 4548 5012 e56cb44.tmp e56ccf9.exe PID 4548 wrote to memory of 1380 4548 e56ccf9.exe cmd.exe PID 4548 wrote to memory of 1380 4548 e56ccf9.exe cmd.exe PID 4548 wrote to memory of 1380 4548 e56ccf9.exe cmd.exe PID 1380 wrote to memory of 1732 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 1732 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 1732 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 5056 1380 cmd.exe icacls.exe PID 1380 wrote to memory of 5056 1380 cmd.exe icacls.exe PID 1380 wrote to memory of 5056 1380 cmd.exe icacls.exe PID 4548 wrote to memory of 2988 4548 e56ccf9.exe cmd.exe PID 4548 wrote to memory of 2988 4548 e56ccf9.exe cmd.exe PID 4548 wrote to memory of 2988 4548 e56ccf9.exe cmd.exe PID 2988 wrote to memory of 1156 2988 cmd.exe takeown.exe PID 2988 wrote to memory of 1156 2988 cmd.exe takeown.exe PID 2988 wrote to memory of 1156 2988 cmd.exe takeown.exe PID 2988 wrote to memory of 4676 2988 cmd.exe icacls.exe PID 2988 wrote to memory of 4676 2988 cmd.exe icacls.exe PID 2988 wrote to memory of 4676 2988 cmd.exe icacls.exe PID 4548 wrote to memory of 4012 4548 e56ccf9.exe cmd.exe PID 4548 wrote to memory of 4012 4548 e56ccf9.exe cmd.exe PID 4548 wrote to memory of 4012 4548 e56ccf9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe"C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\e56cb44.tmp>C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe"C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4260 -
C:\Users\Admin\AppData\Local\Temp\e56ccf9.exe"C:\Users\Admin\AppData\Local\Temp\\e56ccf9.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F4⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5056 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F4⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat4⤵PID:4012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
179B
MD5cb27cc7bd6797efb4de0f561ab99f687
SHA1924c22ab12c513329f37593a2856b27d06b60424
SHA256ffa13d2c61994ecd8271fa71fc92165cdf3a89a6873558628599fcd342fe63b5
SHA5126b349e9d0b7b264fc56a1608e98e6ee02536d56e0bbcb70e09cc18b0d1cdf6e9d0a2b73c59f0d209e054eaa87f02be70c67c425c7f35688b6fa5fea67f525c4f
-
C:\Users\Admin\AppData\Local\Temp\e56cb44.tmpFilesize
1.3MB
MD5ef47687cddafd1fb06d3705b3409a52e
SHA15c3c7ed3705205c38cf2a12a1ccc9a4e394da1ee
SHA256e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968
SHA512b178465e17738f9489fc75bd5d5866de361bd88182bf214066884fa3e9d7a83ec40b7d4b9ba063d6668c0ae86e22d4385ad51994116c414651434a4225eb5100
-
C:\Users\Admin\AppData\Local\Temp\e56cb44.tmpFilesize
1.3MB
MD5ef47687cddafd1fb06d3705b3409a52e
SHA15c3c7ed3705205c38cf2a12a1ccc9a4e394da1ee
SHA256e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968
SHA512b178465e17738f9489fc75bd5d5866de361bd88182bf214066884fa3e9d7a83ec40b7d4b9ba063d6668c0ae86e22d4385ad51994116c414651434a4225eb5100
-
C:\Users\Admin\AppData\Local\Temp\e56ccf9.exeFilesize
846KB
MD5ba68d4c5343746d9bcf3cbadad3ba564
SHA13c23f9c71854c070203f45b9775b6b74d9a8658f
SHA25663077e0732540d09c8c64c68239a213b910b2182de1d9893c51f8ef0bde5c32c
SHA5127ee9b012c2ed8abe9be931ea9b1d927f6b9f948fe98cc3856a4a34be1fd1699bd4c47ad09694e5cdbb5c57da8f6160fcc6c6196a79c920eabc356ade4b6e90e9
-
C:\Users\Admin\AppData\Local\Temp\e56ccf9.exeFilesize
846KB
MD5ba68d4c5343746d9bcf3cbadad3ba564
SHA13c23f9c71854c070203f45b9775b6b74d9a8658f
SHA25663077e0732540d09c8c64c68239a213b910b2182de1d9893c51f8ef0bde5c32c
SHA5127ee9b012c2ed8abe9be931ea9b1d927f6b9f948fe98cc3856a4a34be1fd1699bd4c47ad09694e5cdbb5c57da8f6160fcc6c6196a79c920eabc356ade4b6e90e9
-
C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exeFilesize
473KB
MD55283b78d841e568f2dcff0ccf357222e
SHA1c47b70ed9e3838c2a18cb49f099b0b72f13c268c
SHA2564eacb02bbf469948b82c124a1bd7b22308705c121db3016ac7b7e2abe5cef6c9
SHA5123518f00e0f89c231249b4d99da10203dc7fb579f40267697caa1715a64dce1b814dfccdadc5f0898d6f5eb048daeef8f5435922b8e7836ac1bdaa021aaf2c912
-
memory/1156-152-0x0000000000000000-mapping.dmp
-
memory/1380-148-0x0000000000000000-mapping.dmp
-
memory/1732-149-0x0000000000000000-mapping.dmp
-
memory/2988-151-0x0000000000000000-mapping.dmp
-
memory/4012-154-0x0000000000000000-mapping.dmp
-
memory/4260-136-0x0000000000000000-mapping.dmp
-
memory/4260-142-0x0000000000400000-0x00000000007A1000-memory.dmpFilesize
3.6MB
-
memory/4260-145-0x0000000000400000-0x00000000007A1000-memory.dmpFilesize
3.6MB
-
memory/4548-144-0x0000000000620000-0x0000000000640000-memory.dmpFilesize
128KB
-
memory/4548-147-0x0000000000620000-0x0000000000640000-memory.dmpFilesize
128KB
-
memory/4548-146-0x0000000001000000-0x0000000001C57000-memory.dmpFilesize
12.3MB
-
memory/4548-143-0x0000000001000000-0x0000000001C57000-memory.dmpFilesize
12.3MB
-
memory/4548-138-0x0000000000000000-mapping.dmp
-
memory/4548-156-0x0000000001000000-0x0000000001C57000-memory.dmpFilesize
12.3MB
-
memory/4676-153-0x0000000000000000-mapping.dmp
-
memory/4940-134-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/5012-132-0x0000000000000000-mapping.dmp
-
memory/5012-141-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/5056-150-0x0000000000000000-mapping.dmp