Analysis
-
max time kernel
64s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Resource
win10v2004-20220812-en
General
-
Target
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
-
Size
328KB
-
MD5
14150d55a08032256b49445c6f872200
-
SHA1
148f1da9ea454c02c8a22e6ed304b4e1e5542b36
-
SHA256
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1
-
SHA512
b60d0b7114caec4e0d926d42fc44fa2ef68476e3c2b5e0359113b365f8e223d613c5f98c8725d26202159c66425d28cc5cbe9664ae1637eb6f503f3eab34b24e
-
SSDEEP
6144:5yWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:5Cemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process File created C:\Windows\SysWOW64\drivers\3d7e536c.sys fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1888 takeown.exe 560 icacls.exe 1616 takeown.exe 1704 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\3d7e536c\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\3d7e536c.sys" fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1348 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1888 takeown.exe 560 icacls.exe 1616 takeown.exe 1704 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Drops file in System32 directory 4 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe File created C:\Windows\SysWOW64\wshtcpip.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe File created C:\Windows\SysWOW64\midimap.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Modifies registry class 4 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe" fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "87wJwHdJu.dll" fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exepid process 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exepid process 460 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Token: SeTakeOwnershipPrivilege 1888 takeown.exe Token: SeTakeOwnershipPrivilege 1616 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.execmd.execmd.exedescription pid process target process PID 864 wrote to memory of 1212 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1212 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1212 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1212 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 1212 wrote to memory of 1888 1212 cmd.exe takeown.exe PID 1212 wrote to memory of 1888 1212 cmd.exe takeown.exe PID 1212 wrote to memory of 1888 1212 cmd.exe takeown.exe PID 1212 wrote to memory of 1888 1212 cmd.exe takeown.exe PID 1212 wrote to memory of 560 1212 cmd.exe icacls.exe PID 1212 wrote to memory of 560 1212 cmd.exe icacls.exe PID 1212 wrote to memory of 560 1212 cmd.exe icacls.exe PID 1212 wrote to memory of 560 1212 cmd.exe icacls.exe PID 864 wrote to memory of 1072 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1072 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1072 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1072 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 1072 wrote to memory of 1616 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 1616 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 1616 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 1616 1072 cmd.exe takeown.exe PID 1072 wrote to memory of 1704 1072 cmd.exe icacls.exe PID 1072 wrote to memory of 1704 1072 cmd.exe icacls.exe PID 1072 wrote to memory of 1704 1072 cmd.exe icacls.exe PID 1072 wrote to memory of 1704 1072 cmd.exe icacls.exe PID 864 wrote to memory of 1348 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1348 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1348 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 864 wrote to memory of 1348 864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe"C:\Users\Admin\AppData\Local\Temp\fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5f49cbdbdf24952b5791e540449ba0b48
SHA144bf35fd98c0b093e99229ff25e5560055b35bb9
SHA2569b2fdfed74c7ad77671bcd3bda11715d0b81ff7701985c9998b0a3d39a87cc7a
SHA51243b435082d49dafb176a8de3c0e7a8c7c41ec47b460d819d89452ab2474203cad3064a58b25696a4cc252dc5d8b25cfd4ae9d39b6793783b1a13def90ab07c8d
-
memory/560-59-0x0000000000000000-mapping.dmp
-
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/864-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/864-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/864-64-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1072-60-0x0000000000000000-mapping.dmp
-
memory/1212-57-0x0000000000000000-mapping.dmp
-
memory/1348-63-0x0000000000000000-mapping.dmp
-
memory/1616-61-0x0000000000000000-mapping.dmp
-
memory/1704-62-0x0000000000000000-mapping.dmp
-
memory/1888-58-0x0000000000000000-mapping.dmp