Analysis
-
max time kernel
98s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-11-2022 20:41
Static task
static1
Behavioral task
behavioral1
Sample
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe
Resource
win10v2004-20220901-en
General
-
Target
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe
-
Size
328KB
-
MD5
0ae1adb1839be974a4c9fe18e1688290
-
SHA1
d16776d64a11291d0c3b7fdd201c8cdc5252227f
-
SHA256
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586
-
SHA512
1d24a68b367c3e72071a1052d9c436571d4e8b1f768657720bef90cc40dc70c3d57b676e09fbf91e74631f014839046e7b64031109c92c074043913f87faad2d
-
SSDEEP
6144:LyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:LCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exedescription ioc process File created C:\Windows\SysWOW64\drivers\3be46236.sys fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 368 takeown.exe 364 icacls.exe 852 takeown.exe 840 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\3be46236\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\3be46236.sys" fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1916 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 368 takeown.exe 364 icacls.exe 852 takeown.exe 840 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Drops file in System32 directory 4 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe File created C:\Windows\SysWOW64\wshtcpip.dll fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe File created C:\Windows\SysWOW64\midimap.dll fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Modifies registry class 4 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe" fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "fuefgHthr.dll" fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exepid process 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exepid process 464 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe Token: SeTakeOwnershipPrivilege 368 takeown.exe Token: SeTakeOwnershipPrivilege 852 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.execmd.execmd.exedescription pid process target process PID 1044 wrote to memory of 536 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 536 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 536 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 536 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 536 wrote to memory of 368 536 cmd.exe takeown.exe PID 536 wrote to memory of 368 536 cmd.exe takeown.exe PID 536 wrote to memory of 368 536 cmd.exe takeown.exe PID 536 wrote to memory of 368 536 cmd.exe takeown.exe PID 536 wrote to memory of 364 536 cmd.exe icacls.exe PID 536 wrote to memory of 364 536 cmd.exe icacls.exe PID 536 wrote to memory of 364 536 cmd.exe icacls.exe PID 536 wrote to memory of 364 536 cmd.exe icacls.exe PID 1044 wrote to memory of 808 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 808 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 808 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 808 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 808 wrote to memory of 852 808 cmd.exe takeown.exe PID 808 wrote to memory of 852 808 cmd.exe takeown.exe PID 808 wrote to memory of 852 808 cmd.exe takeown.exe PID 808 wrote to memory of 852 808 cmd.exe takeown.exe PID 808 wrote to memory of 840 808 cmd.exe icacls.exe PID 808 wrote to memory of 840 808 cmd.exe icacls.exe PID 808 wrote to memory of 840 808 cmd.exe icacls.exe PID 808 wrote to memory of 840 808 cmd.exe icacls.exe PID 1044 wrote to memory of 1916 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 1916 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 1916 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe PID 1044 wrote to memory of 1916 1044 fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe"C:\Users\Admin\AppData\Local\Temp\fea558e9db7fbf607c47a5c9d705b4b50143aa1dc08415d2049e1afbc6778586.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD51188194ae58b29fe76b0a185828e110e
SHA17f77af291ad9066f455a3de364eaef47359a55d9
SHA256bd1f18aa2bda2624b76cf4b96477456740b3994f313c3a9282ab3da5bb3c8b61
SHA512f1baeed2f03d6127f58be43ec5b3b1c75f34b69ed689759c575206ac8fb0aac03de263930f03ebf4e1885aaa7dfa9056e5f72882481d5e3bf674be04b209bc4d
-
memory/364-60-0x0000000000000000-mapping.dmp
-
memory/368-59-0x0000000000000000-mapping.dmp
-
memory/536-58-0x0000000000000000-mapping.dmp
-
memory/808-61-0x0000000000000000-mapping.dmp
-
memory/840-63-0x0000000000000000-mapping.dmp
-
memory/852-62-0x0000000000000000-mapping.dmp
-
memory/1044-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1044-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/1044-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/1044-65-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1044-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1916-64-0x0000000000000000-mapping.dmp