Analysis
-
max time kernel
86s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 21:46
Static task
static1
Behavioral task
behavioral1
Sample
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe
Resource
win10v2004-20220901-en
General
-
Target
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe
-
Size
328KB
-
MD5
0375aebbe8a0bb86b8be67da3ce17a80
-
SHA1
1888e036a66eec5f01e9197a419890a1441aa6d1
-
SHA256
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607
-
SHA512
505105ea9d2ec8f03981b606ecbb888264e32b9b51491e4581b4a715c4915bfbb2f93523d9cbb6e2ba8d204cf2fb573a6a23057b2ea185153c86cd3fb70bdc40
-
SSDEEP
6144:RyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:RCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process File created C:\Windows\SysWOW64\drivers\40a5d629.sys c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1188 takeown.exe 760 icacls.exe 1196 takeown.exe 568 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\40a5d629\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\40a5d629.sys" c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1888 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1188 takeown.exe 760 icacls.exe 1196 takeown.exe 568 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Drops file in System32 directory 4 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe File created C:\Windows\SysWOW64\wshtcpip.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe File created C:\Windows\SysWOW64\midimap.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Modifies registry class 4 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe" c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "IAeu.dll" c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exepid process 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exepid process 464 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Token: SeTakeOwnershipPrivilege 1188 takeown.exe Token: SeTakeOwnershipPrivilege 1196 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.execmd.execmd.exedescription pid process target process PID 108 wrote to memory of 1380 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 1380 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 1380 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 1380 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1380 wrote to memory of 1188 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 1188 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 1188 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 1188 1380 cmd.exe takeown.exe PID 1380 wrote to memory of 760 1380 cmd.exe icacls.exe PID 1380 wrote to memory of 760 1380 cmd.exe icacls.exe PID 1380 wrote to memory of 760 1380 cmd.exe icacls.exe PID 1380 wrote to memory of 760 1380 cmd.exe icacls.exe PID 108 wrote to memory of 392 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 392 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 392 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 392 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 392 wrote to memory of 1196 392 cmd.exe takeown.exe PID 392 wrote to memory of 1196 392 cmd.exe takeown.exe PID 392 wrote to memory of 1196 392 cmd.exe takeown.exe PID 392 wrote to memory of 1196 392 cmd.exe takeown.exe PID 392 wrote to memory of 568 392 cmd.exe icacls.exe PID 392 wrote to memory of 568 392 cmd.exe icacls.exe PID 392 wrote to memory of 568 392 cmd.exe icacls.exe PID 392 wrote to memory of 568 392 cmd.exe icacls.exe PID 108 wrote to memory of 1888 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 1888 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 1888 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 108 wrote to memory of 1888 108 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe"C:\Users\Admin\AppData\Local\Temp\c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD51239040563915e1a5f87cef10bb96ce2
SHA19f7d3ff12c6fde12ec67d4131f5eeb79b2e7386d
SHA256a8f6c666cec032c1f830c9a59948f1519e1abec8a10b58ca7a84ac1d3185a332
SHA5129d90f9acda0e1fd2c005c3b13c5d9bd98d264b151737b1bd689768b2a6e0dcf09e274f7c4a8a6c95855dc2b15668612eed118476610a4fa66f5e07afe6809b5e
-
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/108-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/108-56-0x00000000002B0000-0x00000000002D0000-memory.dmpFilesize
128KB
-
memory/108-64-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/392-60-0x0000000000000000-mapping.dmp
-
memory/568-62-0x0000000000000000-mapping.dmp
-
memory/760-59-0x0000000000000000-mapping.dmp
-
memory/1188-58-0x0000000000000000-mapping.dmp
-
memory/1196-61-0x0000000000000000-mapping.dmp
-
memory/1380-57-0x0000000000000000-mapping.dmp
-
memory/1888-63-0x0000000000000000-mapping.dmp