Analysis
-
max time kernel
81s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe
Resource
win10v2004-20220901-en
General
-
Target
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe
-
Size
690KB
-
MD5
84bb2b8233dc0fe26e26a501b9d671d0
-
SHA1
97cac0aaa77a44fb2aec9bd3952b2b03d5585396
-
SHA256
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1
-
SHA512
fa83dd36a120a5b05013944fc136cb6ca4e73e6e8bb56243b302099c700daf845d556fc921a0fb26f9030c6cf5ae959b1aa03d634a4eefefb9f9ea123aa05045
-
SSDEEP
12288:0klCKO873JTr30l/a3ipCF3152Bhfmlky2SA3OMmq+ovM3vYDf8wiaSwIM:HCK/7ZfDp6Bhfc2SOOgvM3vYDz7S3M
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription ioc process File created C:\Windows\SysWOW64\drivers\70faec2c.sys 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1084 icacls.exe 4380 takeown.exe 4356 icacls.exe 3772 takeown.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\70faec2c\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\70faec2c.sys" 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4356 icacls.exe 3772 takeown.exe 1084 icacls.exe 4380 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Drops file in System32 directory 5 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe File opened for modification C:\Windows\SysWOW64\wshtcpip.dll 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe File created C:\Windows\SysWOW64\midimap.dll 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe File created C:\Windows\SysWOW64\riTwye7U.dll 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe File created C:\Windows\SysWOW64\6eOU8rrl.dll 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Modifies registry class 4 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "3i7hhJqU.dll" 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe" 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exepid process 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exepid process 656 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
takeown.exetakeown.exe5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exedescription pid process Token: SeTakeOwnershipPrivilege 3772 takeown.exe Token: SeTakeOwnershipPrivilege 4380 takeown.exe Token: SeDebugPrivilege 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.execmd.execmd.exedescription pid process target process PID 3012 wrote to memory of 452 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 3012 wrote to memory of 452 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 3012 wrote to memory of 452 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 452 wrote to memory of 3772 452 cmd.exe takeown.exe PID 452 wrote to memory of 3772 452 cmd.exe takeown.exe PID 452 wrote to memory of 3772 452 cmd.exe takeown.exe PID 452 wrote to memory of 1084 452 cmd.exe icacls.exe PID 452 wrote to memory of 1084 452 cmd.exe icacls.exe PID 452 wrote to memory of 1084 452 cmd.exe icacls.exe PID 3012 wrote to memory of 1404 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 3012 wrote to memory of 1404 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 3012 wrote to memory of 1404 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 1404 wrote to memory of 4380 1404 cmd.exe takeown.exe PID 1404 wrote to memory of 4380 1404 cmd.exe takeown.exe PID 1404 wrote to memory of 4380 1404 cmd.exe takeown.exe PID 1404 wrote to memory of 4356 1404 cmd.exe icacls.exe PID 1404 wrote to memory of 4356 1404 cmd.exe icacls.exe PID 1404 wrote to memory of 4356 1404 cmd.exe icacls.exe PID 3012 wrote to memory of 4448 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 3012 wrote to memory of 4448 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe PID 3012 wrote to memory of 4448 3012 5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe"C:\Users\Admin\AppData\Local\Temp\5bfc2bb5d3244f2ef4d1535204c51aae9c401eaebfb541de0ede9405e9589af1.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD547b2f8f0934f851a5d2f07b455562804
SHA1b758f495ebd8552d3231a79df7a919f8a1efa370
SHA25673cae61f226d83e46015d947e7343cd9f53157fff6ecaeeb3bd2882a8f54dbb7
SHA5125f4a87a8a2aaf105523342172cd999c0bb411f568a516be16fab099cca05880f2a5b68139ac98449a067f1e84248a6c9852fa453fc87181a27e510218a966859
-
memory/452-132-0x0000000000000000-mapping.dmp
-
memory/1084-134-0x0000000000000000-mapping.dmp
-
memory/1404-137-0x0000000000000000-mapping.dmp
-
memory/3012-141-0x0000000000480000-0x00000000004A0000-memory.dmpFilesize
128KB
-
memory/3012-136-0x0000000000480000-0x00000000004A0000-memory.dmpFilesize
128KB
-
memory/3012-140-0x0000000001000000-0x0000000001698000-memory.dmpFilesize
6.6MB
-
memory/3012-135-0x0000000001000000-0x0000000001698000-memory.dmpFilesize
6.6MB
-
memory/3012-143-0x0000000001000000-0x0000000001698000-memory.dmpFilesize
6.6MB
-
memory/3772-133-0x0000000000000000-mapping.dmp
-
memory/4356-139-0x0000000000000000-mapping.dmp
-
memory/4380-138-0x0000000000000000-mapping.dmp
-
memory/4448-142-0x0000000000000000-mapping.dmp