Analysis
-
max time kernel
73s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 21:46
Static task
static1
Behavioral task
behavioral1
Sample
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe
Resource
win10v2004-20220901-en
General
-
Target
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe
-
Size
328KB
-
MD5
0375aebbe8a0bb86b8be67da3ce17a80
-
SHA1
1888e036a66eec5f01e9197a419890a1441aa6d1
-
SHA256
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607
-
SHA512
505105ea9d2ec8f03981b606ecbb888264e32b9b51491e4581b4a715c4915bfbb2f93523d9cbb6e2ba8d204cf2fb573a6a23057b2ea185153c86cd3fb70bdc40
-
SSDEEP
6144:RyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:RCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process File created C:\Windows\SysWOW64\drivers\42f3cbe9.sys c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3792 takeown.exe 680 icacls.exe 3148 takeown.exe 1952 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\42f3cbe9\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\42f3cbe9.sys" c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3148 takeown.exe 1952 icacls.exe 3792 takeown.exe 680 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Drops file in System32 directory 4 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe File created C:\Windows\SysWOW64\wshtcpip.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe File created C:\Windows\SysWOW64\midimap.dll c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Modifies registry class 4 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe" c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "uH2hyhdri.dll" c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exepid process 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exepid process 664 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe Token: SeTakeOwnershipPrivilege 3792 takeown.exe Token: SeTakeOwnershipPrivilege 3148 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.execmd.execmd.exedescription pid process target process PID 1728 wrote to memory of 812 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1728 wrote to memory of 812 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1728 wrote to memory of 812 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 812 wrote to memory of 3792 812 cmd.exe takeown.exe PID 812 wrote to memory of 3792 812 cmd.exe takeown.exe PID 812 wrote to memory of 3792 812 cmd.exe takeown.exe PID 812 wrote to memory of 680 812 cmd.exe icacls.exe PID 812 wrote to memory of 680 812 cmd.exe icacls.exe PID 812 wrote to memory of 680 812 cmd.exe icacls.exe PID 1728 wrote to memory of 2836 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1728 wrote to memory of 2836 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1728 wrote to memory of 2836 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 2836 wrote to memory of 3148 2836 cmd.exe takeown.exe PID 2836 wrote to memory of 3148 2836 cmd.exe takeown.exe PID 2836 wrote to memory of 3148 2836 cmd.exe takeown.exe PID 2836 wrote to memory of 1952 2836 cmd.exe icacls.exe PID 2836 wrote to memory of 1952 2836 cmd.exe icacls.exe PID 2836 wrote to memory of 1952 2836 cmd.exe icacls.exe PID 1728 wrote to memory of 3712 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1728 wrote to memory of 3712 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe PID 1728 wrote to memory of 3712 1728 c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe"C:\Users\Admin\AppData\Local\Temp\c16de6c175b4587da7119989dae45b14e19b08f206164bb12e5abb744d552607.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD51239040563915e1a5f87cef10bb96ce2
SHA19f7d3ff12c6fde12ec67d4131f5eeb79b2e7386d
SHA256a8f6c666cec032c1f830c9a59948f1519e1abec8a10b58ca7a84ac1d3185a332
SHA5129d90f9acda0e1fd2c005c3b13c5d9bd98d264b151737b1bd689768b2a6e0dcf09e274f7c4a8a6c95855dc2b15668612eed118476610a4fa66f5e07afe6809b5e
-
memory/680-138-0x0000000000000000-mapping.dmp
-
memory/812-136-0x0000000000000000-mapping.dmp
-
memory/1728-135-0x00000000005A0000-0x00000000005C0000-memory.dmpFilesize
128KB
-
memory/1728-132-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1728-134-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1728-143-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1728-133-0x00000000005A0000-0x00000000005C0000-memory.dmpFilesize
128KB
-
memory/1952-141-0x0000000000000000-mapping.dmp
-
memory/2836-139-0x0000000000000000-mapping.dmp
-
memory/3148-140-0x0000000000000000-mapping.dmp
-
memory/3712-142-0x0000000000000000-mapping.dmp
-
memory/3792-137-0x0000000000000000-mapping.dmp