Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-10-2022 12:29
Static task
static1
Behavioral task
behavioral1
Sample
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Resource
win10v2004-20220901-en
General
-
Target
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
-
Size
671KB
-
MD5
409159147752686fb1474eeb48709b30
-
SHA1
dc4ba05e4850a223fc819634df660bb23a964d26
-
SHA256
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4
-
SHA512
51d60c770bc8e88cbdcbfb46e685fef4dbfb251f82455967f10ab421523b6bce51b7eab1a3d9fdbeaa43e6f2527b2e7433b4b13005888b03b2f5d2ed734e50f2
-
SSDEEP
12288:uknDOg+vAcSLbYXc3uAN72T2s8cfwN8N4UbCkO2ELN0YpUovDAXc:bDU3SLbYXc3uA92feON4iBOvLGYppbAs
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription ioc process File created C:\Windows\SysWOW64\drivers\11f4a7ee.sys 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5024 takeown.exe 4792 icacls.exe 4132 takeown.exe 3820 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\11f4a7ee\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\11f4a7ee.sys" 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3820 icacls.exe 5024 takeown.exe 4792 icacls.exe 4132 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Drops file in System32 directory 5 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe File opened for modification C:\Windows\SysWOW64\wshtcpip.dll 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe File created C:\Windows\SysWOW64\midimap.dll 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe File created C:\Windows\SysWOW64\reYuwdDu.dll 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe File created C:\Windows\SysWOW64\wtylHH9f.dll 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Modifies registry class 4 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe" 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "swwwbY.dll" 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exepid process 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exepid process 664 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
takeown.exetakeown.exe9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exedescription pid process Token: SeTakeOwnershipPrivilege 5024 takeown.exe Token: SeTakeOwnershipPrivilege 4132 takeown.exe Token: SeDebugPrivilege 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.execmd.execmd.exedescription pid process target process PID 3340 wrote to memory of 3256 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3340 wrote to memory of 3256 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3340 wrote to memory of 3256 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3256 wrote to memory of 5024 3256 cmd.exe takeown.exe PID 3256 wrote to memory of 5024 3256 cmd.exe takeown.exe PID 3256 wrote to memory of 5024 3256 cmd.exe takeown.exe PID 3256 wrote to memory of 4792 3256 cmd.exe icacls.exe PID 3256 wrote to memory of 4792 3256 cmd.exe icacls.exe PID 3256 wrote to memory of 4792 3256 cmd.exe icacls.exe PID 3340 wrote to memory of 1472 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3340 wrote to memory of 1472 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3340 wrote to memory of 1472 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 1472 wrote to memory of 4132 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 4132 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 4132 1472 cmd.exe takeown.exe PID 1472 wrote to memory of 3820 1472 cmd.exe icacls.exe PID 1472 wrote to memory of 3820 1472 cmd.exe icacls.exe PID 1472 wrote to memory of 3820 1472 cmd.exe icacls.exe PID 3340 wrote to memory of 4476 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3340 wrote to memory of 4476 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe PID 3340 wrote to memory of 4476 3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe"C:\Users\Admin\AppData\Local\Temp\9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD541776175ccf4f6c1b622fd68543e2c7f
SHA1011a104b0cbe38fc0a049b1008374e03fb00713a
SHA2568254519ef4dc06a7ceb75505baa3b100baae313cea1d33f1d727046a711e3907
SHA512d0ddefd292679f5d8b4d2979edcd101e8010f6eadcb009cbbcf90ba993413bac424d5a4323e4acb32f3852d3896c1c33643d5e9d7ed74cb561851ea8bbc67e68
-
memory/1472-137-0x0000000000000000-mapping.dmp
-
memory/3256-134-0x0000000000000000-mapping.dmp
-
memory/3340-141-0x0000000000610000-0x0000000000630000-memory.dmpFilesize
128KB
-
memory/3340-133-0x0000000000610000-0x0000000000630000-memory.dmpFilesize
128KB
-
memory/3340-143-0x0000000001000000-0x000000000177B000-memory.dmpFilesize
7.5MB
-
memory/3340-132-0x0000000001000000-0x000000000177B000-memory.dmpFilesize
7.5MB
-
memory/3340-140-0x0000000001000000-0x000000000177B000-memory.dmpFilesize
7.5MB
-
memory/3820-139-0x0000000000000000-mapping.dmp
-
memory/4132-138-0x0000000000000000-mapping.dmp
-
memory/4476-142-0x0000000000000000-mapping.dmp
-
memory/4792-136-0x0000000000000000-mapping.dmp
-
memory/5024-135-0x0000000000000000-mapping.dmp