Analysis
-
max time kernel
60s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Resource
win10v2004-20220812-en
General
-
Target
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
-
Size
328KB
-
MD5
06d4adf44202aac77777f20847ab1080
-
SHA1
6adb5f2dc258bef543668571d1009a773ebceaba
-
SHA256
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe
-
SHA512
d37481b2517480ff3b2317ee24fd55cbb2aa584121a15cb4a19525e9977195facabb6942cd6599807afea16e1bff36826302cb01e5e8e51f8bff532c1e08c5ec
-
SSDEEP
6144:QyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:QCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exedescription ioc process File created C:\Windows\SysWOW64\drivers\69ddd646.sys 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2036 takeown.exe 1656 icacls.exe 1144 takeown.exe 2016 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\69ddd646\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\69ddd646.sys" 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1852 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1656 icacls.exe 1144 takeown.exe 2016 icacls.exe 2036 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Drops file in System32 directory 4 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe File created C:\Windows\SysWOW64\wshtcpip.dll 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe File created C:\Windows\SysWOW64\midimap.dll 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Modifies registry class 4 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe" 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "shJfw.dll" 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exepid process 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exepid process 460 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe Token: SeTakeOwnershipPrivilege 2036 takeown.exe Token: SeTakeOwnershipPrivilege 1144 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.execmd.execmd.exedescription pid process target process PID 1708 wrote to memory of 1752 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1752 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1752 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1752 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1752 wrote to memory of 2036 1752 cmd.exe takeown.exe PID 1752 wrote to memory of 2036 1752 cmd.exe takeown.exe PID 1752 wrote to memory of 2036 1752 cmd.exe takeown.exe PID 1752 wrote to memory of 2036 1752 cmd.exe takeown.exe PID 1752 wrote to memory of 1656 1752 cmd.exe icacls.exe PID 1752 wrote to memory of 1656 1752 cmd.exe icacls.exe PID 1752 wrote to memory of 1656 1752 cmd.exe icacls.exe PID 1752 wrote to memory of 1656 1752 cmd.exe icacls.exe PID 1708 wrote to memory of 1536 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1536 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1536 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1536 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1536 wrote to memory of 1144 1536 cmd.exe takeown.exe PID 1536 wrote to memory of 1144 1536 cmd.exe takeown.exe PID 1536 wrote to memory of 1144 1536 cmd.exe takeown.exe PID 1536 wrote to memory of 1144 1536 cmd.exe takeown.exe PID 1536 wrote to memory of 2016 1536 cmd.exe icacls.exe PID 1536 wrote to memory of 2016 1536 cmd.exe icacls.exe PID 1536 wrote to memory of 2016 1536 cmd.exe icacls.exe PID 1536 wrote to memory of 2016 1536 cmd.exe icacls.exe PID 1708 wrote to memory of 1852 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1852 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1852 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe PID 1708 wrote to memory of 1852 1708 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe"C:\Users\Admin\AppData\Local\Temp\9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD555e5d590eb876b0dc367f8553b9f005a
SHA1f5522c5195dcb4f98226a1464ee7c44d83a75b17
SHA256a0e47b324ce32ff4e6933418bfd914c4238168a5037b72b6e2eb74d6fbe6740a
SHA512763ea0073d0db84c0d76336b7c05f8f90411a5782f2b066bacd13cb2c9085147310a77e900807c7ddcdeea6cc4ab6ee5099471edb21bc1e802e8f2a64693a3e9
-
memory/1144-63-0x0000000000000000-mapping.dmp
-
memory/1536-62-0x0000000000000000-mapping.dmp
-
memory/1656-61-0x0000000000000000-mapping.dmp
-
memory/1708-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1708-58-0x00000000003A0000-0x00000000003C0000-memory.dmpFilesize
128KB
-
memory/1708-54-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1708-56-0x00000000003A0000-0x00000000003C0000-memory.dmpFilesize
128KB
-
memory/1708-66-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1708-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1752-59-0x0000000000000000-mapping.dmp
-
memory/1852-65-0x0000000000000000-mapping.dmp
-
memory/2016-64-0x0000000000000000-mapping.dmp
-
memory/2036-60-0x0000000000000000-mapping.dmp