Analysis
-
max time kernel
62s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 12:59
Static task
static1
Behavioral task
behavioral1
Sample
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Resource
win10v2004-20220901-en
General
-
Target
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
-
Size
328KB
-
MD5
05bef863589d9acccb2f7c522b4c5b00
-
SHA1
e318054d17d150fa7e186aaf80e6721ed3e83e21
-
SHA256
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54
-
SHA512
291a5dd278577047ae7c2755ab14129db183763ba7f646e01b0bbdb2856a00d65bd78d62404c0504169571acc6b224009b93fa898f90dabfc8d9717013b57aae
-
SSDEEP
6144:eyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:eCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exedescription ioc process File created C:\Windows\SysWOW64\drivers\1953c549.sys 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1784 takeown.exe 1208 icacls.exe 1988 takeown.exe 1640 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1953c549\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1953c549.sys" 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1740 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1784 takeown.exe 1208 icacls.exe 1988 takeown.exe 1640 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Drops file in System32 directory 4 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe File created C:\Windows\SysWOW64\wshtcpip.dll 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe File created C:\Windows\SysWOW64\midimap.dll 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Modifies registry class 4 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "Vsi.dll" 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe" 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exepid process 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exepid process 464 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe Token: SeTakeOwnershipPrivilege 1784 takeown.exe Token: SeTakeOwnershipPrivilege 1988 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.execmd.execmd.exedescription pid process target process PID 1592 wrote to memory of 1700 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1700 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1700 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1700 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1700 wrote to memory of 1784 1700 cmd.exe takeown.exe PID 1700 wrote to memory of 1784 1700 cmd.exe takeown.exe PID 1700 wrote to memory of 1784 1700 cmd.exe takeown.exe PID 1700 wrote to memory of 1784 1700 cmd.exe takeown.exe PID 1700 wrote to memory of 1208 1700 cmd.exe icacls.exe PID 1700 wrote to memory of 1208 1700 cmd.exe icacls.exe PID 1700 wrote to memory of 1208 1700 cmd.exe icacls.exe PID 1700 wrote to memory of 1208 1700 cmd.exe icacls.exe PID 1592 wrote to memory of 1736 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1736 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1736 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1736 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1736 wrote to memory of 1988 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 1988 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 1988 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 1988 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 1640 1736 cmd.exe icacls.exe PID 1736 wrote to memory of 1640 1736 cmd.exe icacls.exe PID 1736 wrote to memory of 1640 1736 cmd.exe icacls.exe PID 1736 wrote to memory of 1640 1736 cmd.exe icacls.exe PID 1592 wrote to memory of 1740 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1740 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1740 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe PID 1592 wrote to memory of 1740 1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5a3ed440e3ac56eca32bcf9107d1bb4c6
SHA12373eb0d628a3b88ab776dd17f040e0a7203fde4
SHA2566cfe830cdf4310cce0562f2faa7b834ca569c0b1da8dc30e25cb15c5cfb55972
SHA51245092cbca84b098ebad5ec3811db3d0926dad4770ee952e6954e8cf0cae4a3f5e63ab083addd01f50d5585b15ccc22a8cd2887b5889dd528fb9c4a6e40ba678a
-
memory/1208-61-0x0000000000000000-mapping.dmp
-
memory/1592-66-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1592-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1592-56-0x00000000002B0000-0x00000000002D0000-memory.dmpFilesize
128KB
-
memory/1592-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1592-58-0x00000000002B0000-0x00000000002D0000-memory.dmpFilesize
128KB
-
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1640-64-0x0000000000000000-mapping.dmp
-
memory/1700-59-0x0000000000000000-mapping.dmp
-
memory/1736-62-0x0000000000000000-mapping.dmp
-
memory/1740-65-0x0000000000000000-mapping.dmp
-
memory/1784-60-0x0000000000000000-mapping.dmp
-
memory/1988-63-0x0000000000000000-mapping.dmp