Analysis
-
max time kernel
59s -
max time network
53s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 22:31
Static task
static1
Behavioral task
behavioral1
Sample
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe
Resource
win10v2004-20220812-en
General
-
Target
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe
-
Size
328KB
-
MD5
0eb90069e54a8f94341e76c936e4f8b0
-
SHA1
cfbe66e1e5cc6ef184d21584665c2b11dda14548
-
SHA256
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a
-
SHA512
e5f80c6ba7992e8cc6153d97cacf8aa6fb1ae83c8a4e176d325ac4076183e150659236d01cecedc887fbd9907ee72c728d825dcf28105919cfb4e8eb8cef4268
-
SSDEEP
6144:KyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:KCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exedescription ioc process File created C:\Windows\SysWOW64\drivers\35c2fb04.sys 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 624 takeown.exe 1340 icacls.exe 1680 takeown.exe 1360 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\35c2fb04\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\35c2fb04.sys" 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 976 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 624 takeown.exe 1340 icacls.exe 1680 takeown.exe 1360 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Drops file in System32 directory 4 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe File created C:\Windows\SysWOW64\wshtcpip.dll 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe File created C:\Windows\SysWOW64\midimap.dll 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Modifies registry class 4 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe" 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "uHAy.dll" 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exepid process 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exepid process 464 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe Token: SeTakeOwnershipPrivilege 624 takeown.exe Token: SeTakeOwnershipPrivilege 1680 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.execmd.execmd.exedescription pid process target process PID 1364 wrote to memory of 1468 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 1468 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 1468 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 1468 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1468 wrote to memory of 624 1468 cmd.exe takeown.exe PID 1468 wrote to memory of 624 1468 cmd.exe takeown.exe PID 1468 wrote to memory of 624 1468 cmd.exe takeown.exe PID 1468 wrote to memory of 624 1468 cmd.exe takeown.exe PID 1468 wrote to memory of 1340 1468 cmd.exe icacls.exe PID 1468 wrote to memory of 1340 1468 cmd.exe icacls.exe PID 1468 wrote to memory of 1340 1468 cmd.exe icacls.exe PID 1468 wrote to memory of 1340 1468 cmd.exe icacls.exe PID 1364 wrote to memory of 2044 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 2044 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 2044 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 2044 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 2044 wrote to memory of 1680 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 1680 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 1680 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 1680 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 1360 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 1360 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 1360 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 1360 2044 cmd.exe icacls.exe PID 1364 wrote to memory of 976 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 976 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 976 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe PID 1364 wrote to memory of 976 1364 9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe"C:\Users\Admin\AppData\Local\Temp\9c2e91901d35fe454c53c0e775b9da3d743aa498ee9efb31b850e7e027f2649a.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5e64c2aa92d6989de94bfde993630be84
SHA180fc0a31e9bd9480e1bca717ce15613e48316e63
SHA256fbf623066ab4e2c5538627e68bb95de1ec4a7e2586119c9c76558b4c1c54d447
SHA512aa15c9fa0289921186b76e32e39734289d3d79898c209103cddb8d4f35444978a971d7d81dac050df3f1b2d737486b4b0110af06bf767d11098e0fd9944944d3
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/976-65-0x0000000000000000-mapping.dmp
-
memory/1340-61-0x0000000000000000-mapping.dmp
-
memory/1360-64-0x0000000000000000-mapping.dmp
-
memory/1364-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1364-58-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/1364-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/1364-66-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1364-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1468-59-0x0000000000000000-mapping.dmp
-
memory/1680-63-0x0000000000000000-mapping.dmp
-
memory/2044-62-0x0000000000000000-mapping.dmp