Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2022 04:18
Behavioral task
behavioral1
Sample
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe
Resource
win7-20220812-en
General
-
Target
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe
-
Size
350KB
-
MD5
31fc29eaf6a68de98f5e3f0d5ba27750
-
SHA1
082a15a5c65eb5049f420e0c3c7e3dce630ed816
-
SHA256
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4
-
SHA512
4563f48a880be6d30072e6dcde7a5a1c80574557b3c07a199115586c5c10efc81c9e6c1df35c36e6e796c27ea9867adc40fa426aeefd46ac183260883b136b0a
-
SSDEEP
6144:+yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:+3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exedescription ioc process File created C:\Windows\SysWOW64\drivers\406a5853.sys a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe File created C:\Windows\SysWOW64\drivers\3cc16dd5.sys a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 3208 takeown.exe 1716 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\406a5853\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\406a5853.sys" a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\3cc16dd5\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\3cc16dd5.sys" a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Processes:
resource yara_rule behavioral2/memory/4820-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4820-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/4820-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3208 takeown.exe 1716 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Drops file in System32 directory 5 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe File created C:\Windows\SysWOW64\goodsb.dll a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe File created C:\Windows\SysWOW64\ws2tcpip.dll a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe File created C:\Windows\SysWOW64\wshtcpip.dll a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Modifies registry class 4 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe" a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "HrpwffeAs8.dll" a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exepid process 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exepid process 652 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 652 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exetakeown.exedescription pid process Token: SeDebugPrivilege 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe Token: SeTakeOwnershipPrivilege 3208 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.execmd.exedescription pid process target process PID 4820 wrote to memory of 3204 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe cmd.exe PID 4820 wrote to memory of 3204 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe cmd.exe PID 4820 wrote to memory of 3204 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe cmd.exe PID 3204 wrote to memory of 3208 3204 cmd.exe takeown.exe PID 3204 wrote to memory of 3208 3204 cmd.exe takeown.exe PID 3204 wrote to memory of 3208 3204 cmd.exe takeown.exe PID 3204 wrote to memory of 1716 3204 cmd.exe icacls.exe PID 3204 wrote to memory of 1716 3204 cmd.exe icacls.exe PID 3204 wrote to memory of 1716 3204 cmd.exe icacls.exe PID 4820 wrote to memory of 4348 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe cmd.exe PID 4820 wrote to memory of 4348 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe cmd.exe PID 4820 wrote to memory of 4348 4820 a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe"C:\Users\Admin\AppData\Local\Temp\a6a1d90bbdd335e3020f7a76ef377b18156ee89def899763c97a8917fb7521c4.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5b3956b1ad5e8f84b0888d1f363a702b4
SHA1540e534ade53153526ee8902fa7d750952ab7c0e
SHA25678fabccce9fa6aa0b3291398345f8d648d38dd0d56ed3ae770af5fb8577d0258
SHA5129fec62f5ebb56d23ac517620207b04d621ef0beeb1bfd09b3a64bd514e79b6ea1006a6e88b0758171161e0093c4465ef94bc29921b23c7b73fd8e159ec3bb307
-
memory/1716-136-0x0000000000000000-mapping.dmp
-
memory/3204-134-0x0000000000000000-mapping.dmp
-
memory/3208-135-0x0000000000000000-mapping.dmp
-
memory/4348-137-0x0000000000000000-mapping.dmp
-
memory/4820-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4820-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/4820-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB