Analysis
-
max time kernel
124s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe
Resource
win10v2004-20220901-en
General
-
Target
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe
-
Size
328KB
-
MD5
07e6b8a7d2cb05fa896ed147d705a6a0
-
SHA1
20b7808356e703890a75ce6de876d6012ce99e06
-
SHA256
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce
-
SHA512
4ca8c159e2d78c739bf22ead3664da8a1dcac41c540d4362a113a6a3ab225980402486a97d9f8d40f061f9a8ff796d93828425ddb34dbafdd983df15d3f7ae96
-
SSDEEP
6144:MyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:MCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process File created C:\Windows\SysWOW64\drivers\04760179.sys 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1120 takeown.exe 1152 icacls.exe 4504 takeown.exe 4860 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\04760179\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\04760179.sys" 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4504 takeown.exe 4860 icacls.exe 1120 takeown.exe 1152 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Drops file in System32 directory 4 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe File created C:\Windows\SysWOW64\wshtcpip.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe File created C:\Windows\SysWOW64\midimap.dll 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Modifies registry class 4 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe" 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "FfsyD3eyq.dll" 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exepid process 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exepid process 672 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe Token: SeTakeOwnershipPrivilege 1120 takeown.exe Token: SeTakeOwnershipPrivilege 4504 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.execmd.execmd.exedescription pid process target process PID 2348 wrote to memory of 2124 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2348 wrote to memory of 2124 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2348 wrote to memory of 2124 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2124 wrote to memory of 1120 2124 cmd.exe takeown.exe PID 2124 wrote to memory of 1120 2124 cmd.exe takeown.exe PID 2124 wrote to memory of 1120 2124 cmd.exe takeown.exe PID 2124 wrote to memory of 1152 2124 cmd.exe icacls.exe PID 2124 wrote to memory of 1152 2124 cmd.exe icacls.exe PID 2124 wrote to memory of 1152 2124 cmd.exe icacls.exe PID 2348 wrote to memory of 3724 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2348 wrote to memory of 3724 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2348 wrote to memory of 3724 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 3724 wrote to memory of 4504 3724 cmd.exe takeown.exe PID 3724 wrote to memory of 4504 3724 cmd.exe takeown.exe PID 3724 wrote to memory of 4504 3724 cmd.exe takeown.exe PID 3724 wrote to memory of 4860 3724 cmd.exe icacls.exe PID 3724 wrote to memory of 4860 3724 cmd.exe icacls.exe PID 3724 wrote to memory of 4860 3724 cmd.exe icacls.exe PID 2348 wrote to memory of 4476 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2348 wrote to memory of 4476 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe PID 2348 wrote to memory of 4476 2348 91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe"C:\Users\Admin\AppData\Local\Temp\91fd407437478499b61f53ab7ace4fc0a3c2ed6bd5ed2cc3cbcfb89c1b02fcce.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1152 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4504 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4860 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵PID:4476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5d05a1fdde4d7cda5b32eede1b364e1b9
SHA1cd298941c1a99c2ec201f64251177a13f01d3908
SHA256f6e56a62b5830145dfd6f758c1674b7c9842f7c1e6e56e0e5a8ddde54391e6c7
SHA512958c64e8026cb1c435d48db7ba8b41082bd1271c75b48f4ccc7b55574a8025ee0dc238cbafc7119469df6d7da5a90ec93ea8e37edf40189a6c98cfed6fce7b90
-
memory/1120-137-0x0000000000000000-mapping.dmp
-
memory/1152-138-0x0000000000000000-mapping.dmp
-
memory/2124-136-0x0000000000000000-mapping.dmp
-
memory/2348-135-0x0000000000D20000-0x0000000000D40000-memory.dmpFilesize
128KB
-
memory/2348-132-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/2348-134-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/2348-143-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/2348-133-0x0000000000D20000-0x0000000000D40000-memory.dmpFilesize
128KB
-
memory/3724-139-0x0000000000000000-mapping.dmp
-
memory/4476-142-0x0000000000000000-mapping.dmp
-
memory/4504-140-0x0000000000000000-mapping.dmp
-
memory/4860-141-0x0000000000000000-mapping.dmp