Analysis
-
max time kernel
104s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 21:54
Static task
static1
Behavioral task
behavioral1
Sample
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe
Resource
win10v2004-20220812-en
General
-
Target
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe
-
Size
328KB
-
MD5
0f5d53a596d47d1acb15530c7127bb50
-
SHA1
918d1a4fb6eabfd9eacb47e570f18dc78c67046d
-
SHA256
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266
-
SHA512
bcbca19c7fb2da393d1429b6c1cfec309cbf8a78d09ea3f13eb009ef6aa71c03fb8d9b1a940e504b0b762459b0ffbe1d9d3d9792eff049eb8771f20b884f753b
-
SSDEEP
6144:NyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:NCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process File created C:\Windows\SysWOW64\drivers\5b270cd3.sys ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1100 takeown.exe 960 icacls.exe 708 takeown.exe 1656 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\5b270cd3\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5b270cd3.sys" ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 432 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 708 takeown.exe 1656 icacls.exe 1100 takeown.exe 960 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Drops file in System32 directory 4 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe File created C:\Windows\SysWOW64\wshtcpip.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe File created C:\Windows\SysWOW64\midimap.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Modifies registry class 4 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe" ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "2idfoG.dll" ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exepid process 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exepid process 464 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Token: SeTakeOwnershipPrivilege 1100 takeown.exe Token: SeTakeOwnershipPrivilege 708 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.execmd.execmd.exedescription pid process target process PID 968 wrote to memory of 964 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 964 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 964 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 964 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 964 wrote to memory of 1100 964 cmd.exe takeown.exe PID 964 wrote to memory of 1100 964 cmd.exe takeown.exe PID 964 wrote to memory of 1100 964 cmd.exe takeown.exe PID 964 wrote to memory of 1100 964 cmd.exe takeown.exe PID 964 wrote to memory of 960 964 cmd.exe icacls.exe PID 964 wrote to memory of 960 964 cmd.exe icacls.exe PID 964 wrote to memory of 960 964 cmd.exe icacls.exe PID 964 wrote to memory of 960 964 cmd.exe icacls.exe PID 968 wrote to memory of 888 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 888 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 888 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 888 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 888 wrote to memory of 708 888 cmd.exe takeown.exe PID 888 wrote to memory of 708 888 cmd.exe takeown.exe PID 888 wrote to memory of 708 888 cmd.exe takeown.exe PID 888 wrote to memory of 708 888 cmd.exe takeown.exe PID 888 wrote to memory of 1656 888 cmd.exe icacls.exe PID 888 wrote to memory of 1656 888 cmd.exe icacls.exe PID 888 wrote to memory of 1656 888 cmd.exe icacls.exe PID 888 wrote to memory of 1656 888 cmd.exe icacls.exe PID 968 wrote to memory of 432 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 432 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 432 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 968 wrote to memory of 432 968 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe"C:\Users\Admin\AppData\Local\Temp\ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD53a2f6524cb2249899d378bcb4f355c69
SHA169982e99cbb0f352bcc005fe76577bdb434a44d7
SHA25604aa84e6cd92f57695e1d4223affbc4199e7544b8f2d96535aa2320c00633936
SHA51297d0cf9d1611b85988e1b43774d1829c92c3741b41b20c33acd444f3b4c507fbbb88f942cc159fc7bc4024849c906785b684a4787ace51e88f63d2ccec071546
-
memory/432-64-0x0000000000000000-mapping.dmp
-
memory/708-62-0x0000000000000000-mapping.dmp
-
memory/888-61-0x0000000000000000-mapping.dmp
-
memory/960-60-0x0000000000000000-mapping.dmp
-
memory/964-58-0x0000000000000000-mapping.dmp
-
memory/968-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/968-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/968-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/968-65-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/968-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1100-59-0x0000000000000000-mapping.dmp
-
memory/1656-63-0x0000000000000000-mapping.dmp