Analysis
-
max time kernel
112s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 08:04
Behavioral task
behavioral1
Sample
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Resource
win7-20220812-en
General
-
Target
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
-
Size
350KB
-
MD5
5dc0752eed15944b6f04a6d938185290
-
SHA1
876bed93f6ffc09a528b3a285397d1bd93069766
-
SHA256
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe
-
SHA512
a58a9a454d6fa80cc872c088d6e9cbfbd06b9b71c4a90732f2be68cc766571279e59e7fa7ddc1a8cb7099f68e763f3fa188839bcc8e3308b74ad8212f418dcdf
-
SSDEEP
6144:9yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:93BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exedescription ioc process File created C:\Windows\SysWOW64\drivers\5f390387.sys c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe File created C:\Windows\SysWOW64\drivers\23923601.sys c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4992 takeown.exe 4268 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\5f390387\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5f390387.sys" c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\23923601\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\23923601.sys" c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Processes:
resource yara_rule behavioral2/memory/4936-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4936-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4936-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4992 takeown.exe 4268 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Drops file in System32 directory 5 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe File created C:\Windows\SysWOW64\goodsb.dll c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe File created C:\Windows\SysWOW64\ws2tcpip.dll c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe File created C:\Windows\SysWOW64\wshtcpip.dll c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Modifies registry class 4 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe" c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "fUrJJafd.dll" c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exepid process 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exepid process 648 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 648 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exetakeown.exedescription pid process Token: SeDebugPrivilege 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe Token: SeTakeOwnershipPrivilege 4992 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.execmd.exedescription pid process target process PID 4936 wrote to memory of 1292 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe cmd.exe PID 4936 wrote to memory of 1292 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe cmd.exe PID 4936 wrote to memory of 1292 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe cmd.exe PID 1292 wrote to memory of 4992 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 4992 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 4992 1292 cmd.exe takeown.exe PID 1292 wrote to memory of 4268 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 4268 1292 cmd.exe icacls.exe PID 1292 wrote to memory of 4268 1292 cmd.exe icacls.exe PID 4936 wrote to memory of 4644 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe cmd.exe PID 4936 wrote to memory of 4644 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe cmd.exe PID 4936 wrote to memory of 4644 4936 c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe"C:\Users\Admin\AppData\Local\Temp\c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5b7e131ce6db5d08d69fb167a67d741a7
SHA12103b8d38cd3c6e4d5158cb653b4cedbd2223238
SHA2560eb9c8c2c39ad4d7699c22cdb67e81724bf7ec8edcbfd5260454af187bb1545a
SHA512963a8d2d935ffc0d6a497c9ed44f5dc158ddc0edcefc4d9e97548c0e103b787bed0fa3b1cfa3165363b7e18254f9e00d1b00ddebb25b76254f3825d76293452b
-
memory/1292-134-0x0000000000000000-mapping.dmp
-
memory/4268-136-0x0000000000000000-mapping.dmp
-
memory/4644-137-0x0000000000000000-mapping.dmp
-
memory/4936-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4936-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4936-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4992-135-0x0000000000000000-mapping.dmp