Analysis
-
max time kernel
162s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2022 21:54
Static task
static1
Behavioral task
behavioral1
Sample
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe
Resource
win10v2004-20220812-en
General
-
Target
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe
-
Size
328KB
-
MD5
0f5d53a596d47d1acb15530c7127bb50
-
SHA1
918d1a4fb6eabfd9eacb47e570f18dc78c67046d
-
SHA256
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266
-
SHA512
bcbca19c7fb2da393d1429b6c1cfec309cbf8a78d09ea3f13eb009ef6aa71c03fb8d9b1a940e504b0b762459b0ffbe1d9d3d9792eff049eb8771f20b884f753b
-
SSDEEP
6144:NyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:NCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process File created C:\Windows\SysWOW64\drivers\62872591.sys ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4124 icacls.exe 2372 takeown.exe 3680 icacls.exe 2808 takeown.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\62872591\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\62872591.sys" ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2808 takeown.exe 4124 icacls.exe 2372 takeown.exe 3680 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Drops file in System32 directory 4 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe File created C:\Windows\SysWOW64\wshtcpip.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe File created C:\Windows\SysWOW64\midimap.dll ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Modifies registry class 4 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe" ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "3GfHf2Y.dll" ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exepid process 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exepid process 648 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe Token: SeTakeOwnershipPrivilege 2808 takeown.exe Token: SeTakeOwnershipPrivilege 2372 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.execmd.execmd.exedescription pid process target process PID 4876 wrote to memory of 1512 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 4876 wrote to memory of 1512 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 4876 wrote to memory of 1512 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 1512 wrote to memory of 2808 1512 cmd.exe takeown.exe PID 1512 wrote to memory of 2808 1512 cmd.exe takeown.exe PID 1512 wrote to memory of 2808 1512 cmd.exe takeown.exe PID 1512 wrote to memory of 4124 1512 cmd.exe icacls.exe PID 1512 wrote to memory of 4124 1512 cmd.exe icacls.exe PID 1512 wrote to memory of 4124 1512 cmd.exe icacls.exe PID 4876 wrote to memory of 320 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 4876 wrote to memory of 320 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 4876 wrote to memory of 320 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 320 wrote to memory of 2372 320 cmd.exe takeown.exe PID 320 wrote to memory of 2372 320 cmd.exe takeown.exe PID 320 wrote to memory of 2372 320 cmd.exe takeown.exe PID 320 wrote to memory of 3680 320 cmd.exe icacls.exe PID 320 wrote to memory of 3680 320 cmd.exe icacls.exe PID 320 wrote to memory of 3680 320 cmd.exe icacls.exe PID 4876 wrote to memory of 3996 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 4876 wrote to memory of 3996 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe PID 4876 wrote to memory of 3996 4876 ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe"C:\Users\Admin\AppData\Local\Temp\ba070a80f577b1838a89ea31d3bafa56c3eabcd6e867ad339bcec26e40a90266.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD53a2f6524cb2249899d378bcb4f355c69
SHA169982e99cbb0f352bcc005fe76577bdb434a44d7
SHA25604aa84e6cd92f57695e1d4223affbc4199e7544b8f2d96535aa2320c00633936
SHA51297d0cf9d1611b85988e1b43774d1829c92c3741b41b20c33acd444f3b4c507fbbb88f942cc159fc7bc4024849c906785b684a4787ace51e88f63d2ccec071546
-
memory/320-139-0x0000000000000000-mapping.dmp
-
memory/1512-136-0x0000000000000000-mapping.dmp
-
memory/2372-140-0x0000000000000000-mapping.dmp
-
memory/2808-137-0x0000000000000000-mapping.dmp
-
memory/3680-141-0x0000000000000000-mapping.dmp
-
memory/3996-142-0x0000000000000000-mapping.dmp
-
memory/4124-138-0x0000000000000000-mapping.dmp
-
memory/4876-132-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/4876-135-0x0000000000690000-0x00000000006B0000-memory.dmpFilesize
128KB
-
memory/4876-134-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/4876-143-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/4876-133-0x0000000000690000-0x00000000006B0000-memory.dmpFilesize
128KB