Analysis
-
max time kernel
91s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
07-11-2022 13:59
Static task
static1
Behavioral task
behavioral1
Sample
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe
Resource
win10v2004-20220812-en
General
-
Target
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe
-
Size
328KB
-
MD5
0e07c9d7250a78436faaeeaa37d7c490
-
SHA1
2f5454baad432a8d3675e711e05482081343161d
-
SHA256
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece
-
SHA512
7bd6e3b497cb900fb139d1c623d117b58b8939dca39d49a51aa79e2ccab37cd24f7f851df28e07eef8aa42adef026222a372c732506a4bd4d6357df6135f5442
-
SSDEEP
6144:hyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:hCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exedescription ioc process File created C:\Windows\SysWOW64\drivers\534a3455.sys 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 752 takeown.exe 1144 icacls.exe 324 takeown.exe 536 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\534a3455\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\534a3455.sys" 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1480 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1144 icacls.exe 324 takeown.exe 536 icacls.exe 752 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Drops file in System32 directory 4 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exedescription ioc process File created C:\Windows\SysWOW64\midimap.dll 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe File created C:\Windows\SysWOW64\wshtcpip.dll 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Modifies registry class 4 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe" 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "GsfHGDi.dll" 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exepid process 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exepid process 460 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe Token: SeTakeOwnershipPrivilege 752 takeown.exe Token: SeTakeOwnershipPrivilege 324 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.execmd.execmd.exedescription pid process target process PID 1852 wrote to memory of 1160 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1160 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1160 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1160 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1160 wrote to memory of 752 1160 cmd.exe takeown.exe PID 1160 wrote to memory of 752 1160 cmd.exe takeown.exe PID 1160 wrote to memory of 752 1160 cmd.exe takeown.exe PID 1160 wrote to memory of 752 1160 cmd.exe takeown.exe PID 1160 wrote to memory of 1144 1160 cmd.exe icacls.exe PID 1160 wrote to memory of 1144 1160 cmd.exe icacls.exe PID 1160 wrote to memory of 1144 1160 cmd.exe icacls.exe PID 1160 wrote to memory of 1144 1160 cmd.exe icacls.exe PID 1852 wrote to memory of 1756 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1756 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1756 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1756 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1756 wrote to memory of 324 1756 cmd.exe takeown.exe PID 1756 wrote to memory of 324 1756 cmd.exe takeown.exe PID 1756 wrote to memory of 324 1756 cmd.exe takeown.exe PID 1756 wrote to memory of 324 1756 cmd.exe takeown.exe PID 1756 wrote to memory of 536 1756 cmd.exe icacls.exe PID 1756 wrote to memory of 536 1756 cmd.exe icacls.exe PID 1756 wrote to memory of 536 1756 cmd.exe icacls.exe PID 1756 wrote to memory of 536 1756 cmd.exe icacls.exe PID 1852 wrote to memory of 1480 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1480 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1480 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe PID 1852 wrote to memory of 1480 1852 25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe"C:\Users\Admin\AppData\Local\Temp\25538f92187a715a0b529d649baf4b2e32b50a6d43171d63c05135767f23eece.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD56033a893343f9947570212d958cd9ae9
SHA13c8668511e54eed8d9d9e6c7fb35ea97e0f2bd39
SHA2569da0da3647c60dad1ed774537fa1ba51fb1a51d2bb634e3f35e237285f573913
SHA5123132e77877549c3d998bdc865999a7c901ee10ec0e879f44099586645d1aae9a64c8574e2fa335a6bd021d9cec3b41118d1dd62e697b20388dc3bac1a3047644
-
memory/324-63-0x0000000000000000-mapping.dmp
-
memory/536-64-0x0000000000000000-mapping.dmp
-
memory/752-60-0x0000000000000000-mapping.dmp
-
memory/1144-61-0x0000000000000000-mapping.dmp
-
memory/1160-59-0x0000000000000000-mapping.dmp
-
memory/1480-65-0x0000000000000000-mapping.dmp
-
memory/1756-62-0x0000000000000000-mapping.dmp
-
memory/1852-58-0x00000000001B0000-0x00000000001D0000-memory.dmpFilesize
128KB
-
memory/1852-54-0x0000000075521000-0x0000000075523000-memory.dmpFilesize
8KB
-
memory/1852-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1852-56-0x00000000001B0000-0x00000000001D0000-memory.dmpFilesize
128KB
-
memory/1852-66-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1852-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB