Analysis
-
max time kernel
135s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 04:55
Behavioral task
behavioral1
Sample
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe
Resource
win7-20221111-en
General
-
Target
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe
-
Size
350KB
-
MD5
481372eb5aa7bdefca915f76943f9d00
-
SHA1
062719427aa3baab3869212cd05f84b69cea6e6e
-
SHA256
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80
-
SHA512
19fcd4925f6b54813282a76db12057d8be95ec656c834333a6f2dcaadbf8168c71aa68f7cfaf5e377e89e36a82899997dfde67341c4a0fccc0b8f144609a8f77
-
SSDEEP
6144:9yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:93BdQLL4BE93NGVYZX9BukJlwxSJdEm
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exedescription ioc process File created C:\Windows\SysWOW64\drivers\570086b7.sys 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe File created C:\Windows\SysWOW64\drivers\2babb331.sys 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 4824 takeown.exe 4800 icacls.exe -
Sets service image path in registry 2 TTPs 2 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\570086b7\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\570086b7.sys" 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\2babb331\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\2babb331.sys" 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Processes:
resource yara_rule behavioral2/memory/588-132-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/588-133-0x0000000001000000-0x000000000112D000-memory.dmp upx behavioral2/memory/588-138-0x0000000001000000-0x000000000112D000-memory.dmp upx -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 4824 takeown.exe 4800 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Drops file in System32 directory 5 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe File opened for modification C:\Windows\SysWOW64\goodsb.dll 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe File created C:\Windows\SysWOW64\goodsb.dll 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe File created C:\Windows\SysWOW64\ws2tcpip.dll 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Modifies registry class 4 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe" 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "hhy8.dll" 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exepid process 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Suspicious behavior: LoadsDriver 5 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exepid process 652 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 652 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exetakeown.exedescription pid process Token: SeDebugPrivilege 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe Token: SeTakeOwnershipPrivilege 4824 takeown.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.execmd.exedescription pid process target process PID 588 wrote to memory of 2832 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe cmd.exe PID 588 wrote to memory of 2832 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe cmd.exe PID 588 wrote to memory of 2832 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe cmd.exe PID 2832 wrote to memory of 4824 2832 cmd.exe takeown.exe PID 2832 wrote to memory of 4824 2832 cmd.exe takeown.exe PID 2832 wrote to memory of 4824 2832 cmd.exe takeown.exe PID 2832 wrote to memory of 4800 2832 cmd.exe icacls.exe PID 2832 wrote to memory of 4800 2832 cmd.exe icacls.exe PID 2832 wrote to memory of 4800 2832 cmd.exe icacls.exe PID 588 wrote to memory of 3528 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe cmd.exe PID 588 wrote to memory of 3528 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe cmd.exe PID 588 wrote to memory of 3528 588 97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe"C:\Users\Admin\AppData\Local\Temp\97e71e8473db7d2f5f0b7f9fc797b35c9443022f4c4e7414e67fe05b6d67cb80.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD58337b459581d3acfbf7f3d9680fdcb4c
SHA1e55b0c6ff185c4a4fa796525e1a03233c32d7f8c
SHA256c927ac80024cf78e3fed8a3533fcbda5e31c8244f8b1462154bdf44d866e1b99
SHA5126b0e3f1be778ef103426f8b612eb963b7c6a0fe9e4a74319dfe81c49e0ab72ab2d43c16440c8aa3bf5490330f8ef120413409a1ee993127f3b5f7635ea414cdc
-
memory/588-132-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/588-133-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/588-138-0x0000000001000000-0x000000000112D000-memory.dmpFilesize
1.2MB
-
memory/2832-134-0x0000000000000000-mapping.dmp
-
memory/3528-137-0x0000000000000000-mapping.dmp
-
memory/4800-136-0x0000000000000000-mapping.dmp
-
memory/4824-135-0x0000000000000000-mapping.dmp