Analysis
-
max time kernel
100s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 06:59
Static task
static1
Behavioral task
behavioral1
Sample
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Resource
win10v2004-20220812-en
General
-
Target
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
-
Size
328KB
-
MD5
14150d55a08032256b49445c6f872200
-
SHA1
148f1da9ea454c02c8a22e6ed304b4e1e5542b36
-
SHA256
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1
-
SHA512
b60d0b7114caec4e0d926d42fc44fa2ef68476e3c2b5e0359113b365f8e223d613c5f98c8725d26202159c66425d28cc5cbe9664ae1637eb6f503f3eab34b24e
-
SSDEEP
6144:5yWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:5Cemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process File created C:\Windows\SysWOW64\drivers\7b75601f.sys fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4928 icacls.exe 1240 takeown.exe 1272 icacls.exe 636 takeown.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\7b75601f\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7b75601f.sys" fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1240 takeown.exe 1272 icacls.exe 636 takeown.exe 4928 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Drops file in System32 directory 4 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe File created C:\Windows\SysWOW64\wshtcpip.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe File created C:\Windows\SysWOW64\midimap.dll fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Modifies registry class 4 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe" fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "jiAef.dll" fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exepid process 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exepid process 668 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe Token: SeTakeOwnershipPrivilege 636 takeown.exe Token: SeTakeOwnershipPrivilege 1240 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.execmd.execmd.exedescription pid process target process PID 5116 wrote to memory of 5036 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5116 wrote to memory of 5036 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5116 wrote to memory of 5036 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5036 wrote to memory of 636 5036 cmd.exe takeown.exe PID 5036 wrote to memory of 636 5036 cmd.exe takeown.exe PID 5036 wrote to memory of 636 5036 cmd.exe takeown.exe PID 5036 wrote to memory of 4928 5036 cmd.exe icacls.exe PID 5036 wrote to memory of 4928 5036 cmd.exe icacls.exe PID 5036 wrote to memory of 4928 5036 cmd.exe icacls.exe PID 5116 wrote to memory of 4888 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5116 wrote to memory of 4888 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5116 wrote to memory of 4888 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 4888 wrote to memory of 1240 4888 cmd.exe takeown.exe PID 4888 wrote to memory of 1240 4888 cmd.exe takeown.exe PID 4888 wrote to memory of 1240 4888 cmd.exe takeown.exe PID 4888 wrote to memory of 1272 4888 cmd.exe icacls.exe PID 4888 wrote to memory of 1272 4888 cmd.exe icacls.exe PID 4888 wrote to memory of 1272 4888 cmd.exe icacls.exe PID 5116 wrote to memory of 1052 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5116 wrote to memory of 1052 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe PID 5116 wrote to memory of 1052 5116 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe"C:\Users\Admin\AppData\Local\Temp\fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5f49cbdbdf24952b5791e540449ba0b48
SHA144bf35fd98c0b093e99229ff25e5560055b35bb9
SHA2569b2fdfed74c7ad77671bcd3bda11715d0b81ff7701985c9998b0a3d39a87cc7a
SHA51243b435082d49dafb176a8de3c0e7a8c7c41ec47b460d819d89452ab2474203cad3064a58b25696a4cc252dc5d8b25cfd4ae9d39b6793783b1a13def90ab07c8d
-
memory/636-137-0x0000000000000000-mapping.dmp
-
memory/1052-142-0x0000000000000000-mapping.dmp
-
memory/1240-140-0x0000000000000000-mapping.dmp
-
memory/1272-141-0x0000000000000000-mapping.dmp
-
memory/4888-139-0x0000000000000000-mapping.dmp
-
memory/4928-138-0x0000000000000000-mapping.dmp
-
memory/5036-136-0x0000000000000000-mapping.dmp
-
memory/5116-133-0x0000000000BF0000-0x0000000000C10000-memory.dmpFilesize
128KB
-
memory/5116-135-0x0000000000BF0000-0x0000000000C10000-memory.dmpFilesize
128KB
-
memory/5116-134-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/5116-143-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/5116-132-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB