Analysis
-
max time kernel
71s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2022 03:55
Behavioral task
behavioral1
Sample
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Resource
win7-20220812-en
General
-
Target
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
-
Size
350KB
-
MD5
29308f083114d892b709d5f36ae18710
-
SHA1
c7e974577e1254c537e0f53a725518a1f4d5f7f7
-
SHA256
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32
-
SHA512
5254e53849eaec33ed260dc2d1a45f012a5e4e7bd683d4445b7502e8cb21210ef30ddf26a470a0da31f5e572cbd2636ec25869aac1603011fc7f3626b5a2545b
-
SSDEEP
6144:qyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:q3BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exedescription ioc process File created C:\Windows\SysWOW64\drivers\334c0ce4.sys a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe File created C:\Windows\SysWOW64\drivers\4fe73962.sys a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 2692 takeown.exe 1308 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\334c0ce4\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\334c0ce4.sys" a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4fe73962\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\4fe73962.sys" a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Processes:
resource yara_rule behavioral2/memory/1656-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/1656-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/1656-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2692 takeown.exe 1308 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Drops file in System32 directory 5 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\goodsb.dll a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe File created C:\Windows\SysWOW64\goodsb.dll a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe File created C:\Windows\SysWOW64\ws2tcpip.dll a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe File created C:\Windows\SysWOW64\wshtcpip.dll a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Modifies registry class 4 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "4irIEsU8Jt.dll" a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe" a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exepid process 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exepid process 660 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 660 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exetakeown.exedescription pid process Token: SeDebugPrivilege 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe Token: SeTakeOwnershipPrivilege 2692 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.execmd.exedescription pid process target process PID 1656 wrote to memory of 2408 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe cmd.exe PID 1656 wrote to memory of 2408 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe cmd.exe PID 1656 wrote to memory of 2408 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe cmd.exe PID 2408 wrote to memory of 2692 2408 cmd.exe takeown.exe PID 2408 wrote to memory of 2692 2408 cmd.exe takeown.exe PID 2408 wrote to memory of 2692 2408 cmd.exe takeown.exe PID 2408 wrote to memory of 1308 2408 cmd.exe icacls.exe PID 2408 wrote to memory of 1308 2408 cmd.exe icacls.exe PID 2408 wrote to memory of 1308 2408 cmd.exe icacls.exe PID 1656 wrote to memory of 4908 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe cmd.exe PID 1656 wrote to memory of 4908 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe cmd.exe PID 1656 wrote to memory of 4908 1656 a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe"C:\Users\Admin\AppData\Local\Temp\a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5367986a80ac53057c7ad4686d5f5b2be
SHA1edccc25f9cc9ec722b9c664693b2d06610b3a63d
SHA256f5f7531268faad3fc85aff523f04a8605041a21227030c660f3203109652b4d5
SHA512a77391591e8cfcfb0f09db51daa280d2e06a980678b512b25ac3baf9bbc5bfb23ae8e32bd21098d9d19157cf218092f97056510ba22b059e0555df404cae124a
-
memory/1308-136-0x0000000000000000-mapping.dmp
-
memory/1656-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1656-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/1656-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/2408-134-0x0000000000000000-mapping.dmp
-
memory/2692-135-0x0000000000000000-mapping.dmp
-
memory/4908-137-0x0000000000000000-mapping.dmp