Analysis
-
max time kernel
140s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 08:04
Behavioral task
behavioral1
Sample
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe
Resource
win7-20220812-en
General
-
Target
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe
-
Size
350KB
-
MD5
93aaadc0d0b4a41ce82654d48f857010
-
SHA1
45812eb55e5a2f6b360645e44b6b07fc48ec640b
-
SHA256
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c
-
SHA512
bee069511ea882ca8abde7534b5d1d37c3a6660557c710675decc738bf8ec4f981b80282cae337dfb2115c51d4b4c83ede92ad2ec91ddcbc129d0eb22d079ef6
-
SSDEEP
6144:EyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:E3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exedescription ioc process File created C:\Windows\SysWOW64\drivers\5a1402cb.sys 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe File created C:\Windows\SysWOW64\drivers\26bf374d.sys 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 228 takeown.exe 796 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\26bf374d\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\26bf374d.sys" 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\5a1402cb\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5a1402cb.sys" 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Processes:
resource yara_rule behavioral2/memory/5072-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/5072-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 228 takeown.exe 796 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Drops file in System32 directory 5 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe File created C:\Windows\SysWOW64\wshtcpip.dll 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe File created C:\Windows\SysWOW64\goodsb.dll 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Modifies registry class 4 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe" 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "Yqd.dll" 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exepid process 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exepid process 652 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 652 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exetakeown.exedescription pid process Token: SeDebugPrivilege 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe Token: SeTakeOwnershipPrivilege 228 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.execmd.exedescription pid process target process PID 5072 wrote to memory of 1048 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe cmd.exe PID 5072 wrote to memory of 1048 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe cmd.exe PID 5072 wrote to memory of 1048 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe cmd.exe PID 1048 wrote to memory of 228 1048 cmd.exe takeown.exe PID 1048 wrote to memory of 228 1048 cmd.exe takeown.exe PID 1048 wrote to memory of 228 1048 cmd.exe takeown.exe PID 1048 wrote to memory of 796 1048 cmd.exe icacls.exe PID 1048 wrote to memory of 796 1048 cmd.exe icacls.exe PID 1048 wrote to memory of 796 1048 cmd.exe icacls.exe PID 5072 wrote to memory of 3748 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe cmd.exe PID 5072 wrote to memory of 3748 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe cmd.exe PID 5072 wrote to memory of 3748 5072 8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe"C:\Users\Admin\AppData\Local\Temp\8c5e8c97e8bbfbd946a70450ce4752f4ba06605d0140d043a75fd6c1f867018c.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD595033318d5d8464aaae7fef0efb57b86
SHA15a45a6773ea564bce82e16cde4bf6b593de15831
SHA256953dbe0fed3f7526a8800fec07a9953957e3ad8c9ce8bcc35f7bc47b6cd2d4c9
SHA512cdac408f33db55e53eec07be6f8bc4812f172eb27d2c1d9e78c7fa8157dc998a27275f23f9bf6ec2198b58f9e7aa4e356b9419ef5bfb8a00f70b7073da63852a
-
memory/228-134-0x0000000000000000-mapping.dmp
-
memory/796-135-0x0000000000000000-mapping.dmp
-
memory/1048-133-0x0000000000000000-mapping.dmp
-
memory/3748-136-0x0000000000000000-mapping.dmp
-
memory/5072-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/5072-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB