Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2022 08:36
Static task
static1
Behavioral task
behavioral1
Sample
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe
Resource
win10v2004-20220812-en
General
-
Target
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe
-
Size
686KB
-
MD5
3a727e40ad724fb8dd9cfbc82b0f4d90
-
SHA1
802544ecc7add1e5248dbbce59e21b5f248a9fcc
-
SHA256
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac
-
SHA512
402c421727810717d94ffa2acdb8e57171284c1e8413f0363d49bd988b4575d3b8ee5472b0673c747defcfc51323c6d8492d18ed216d3212eee71fae996167e4
-
SSDEEP
12288:KwWXgoYk/6Ih6EPvj18RNwpkVo4LfQSYBus9cbxOvBY7ms7vKpnMj5pxHqZGxX:tWw1OkEPb18wYo4LfQBn9iUvm7ms4Kxr
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription ioc process File created C:\Windows\SysWOW64\drivers\037514b0.sys 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3900 takeown.exe 3536 icacls.exe 4804 takeown.exe 4780 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\037514b0\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\037514b0.sys" 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3536 icacls.exe 4804 takeown.exe 4780 icacls.exe 3900 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Drops file in System32 directory 5 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription ioc process File created C:\Windows\SysWOW64\wshtcpip.dll 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe File opened for modification C:\Windows\SysWOW64\wshtcpip.dll 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe File created C:\Windows\SysWOW64\midimap.dll 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe File created C:\Windows\SysWOW64\3uHuUsYq.dll 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe File created C:\Windows\SysWOW64\7e7iSufl.dll 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Modifies registry class 4 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe" 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "1erd.dll" 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exepid process 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exepid process 652 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
takeown.exetakeown.exe637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exedescription pid process Token: SeTakeOwnershipPrivilege 3900 takeown.exe Token: SeTakeOwnershipPrivilege 4804 takeown.exe Token: SeDebugPrivilege 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.execmd.execmd.exedescription pid process target process PID 1572 wrote to memory of 4964 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 1572 wrote to memory of 4964 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 1572 wrote to memory of 4964 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 4964 wrote to memory of 3900 4964 cmd.exe takeown.exe PID 4964 wrote to memory of 3900 4964 cmd.exe takeown.exe PID 4964 wrote to memory of 3900 4964 cmd.exe takeown.exe PID 4964 wrote to memory of 3536 4964 cmd.exe icacls.exe PID 4964 wrote to memory of 3536 4964 cmd.exe icacls.exe PID 4964 wrote to memory of 3536 4964 cmd.exe icacls.exe PID 1572 wrote to memory of 4808 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 1572 wrote to memory of 4808 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 1572 wrote to memory of 4808 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 4808 wrote to memory of 4804 4808 cmd.exe takeown.exe PID 4808 wrote to memory of 4804 4808 cmd.exe takeown.exe PID 4808 wrote to memory of 4804 4808 cmd.exe takeown.exe PID 4808 wrote to memory of 4780 4808 cmd.exe icacls.exe PID 4808 wrote to memory of 4780 4808 cmd.exe icacls.exe PID 4808 wrote to memory of 4780 4808 cmd.exe icacls.exe PID 1572 wrote to memory of 4112 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 1572 wrote to memory of 4112 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe PID 1572 wrote to memory of 4112 1572 637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe"C:\Users\Admin\AppData\Local\Temp\637fc2260ea3a0d3d0b55953c2ff5bf23674c0fb881e92eb0437edb02906a7ac.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD51391ac37e7f2f0818d37fadce1cec329
SHA10fb505a17893daa666381f72bb2233ae36655378
SHA2565a1275a4b28cf2716531c05483c5b5f87c3e9185ff16ae00953039732cd899f6
SHA512b1265afe6179d77616a51fddba71451c34a70748cceb7da9ef97ca82d69b6d0af064fdb6daf64367535859c59b1d9d1cfb597c97d0f28b403d7e94111988ee27
-
memory/1572-140-0x0000000001000000-0x0000000001698000-memory.dmpFilesize
6.6MB
-
memory/1572-144-0x0000000001000000-0x0000000001698000-memory.dmpFilesize
6.6MB
-
memory/1572-132-0x0000000001000000-0x0000000001698000-memory.dmpFilesize
6.6MB
-
memory/1572-136-0x0000000000D20000-0x0000000000D40000-memory.dmpFilesize
128KB
-
memory/1572-141-0x0000000000D20000-0x0000000000D40000-memory.dmpFilesize
128KB
-
memory/3536-135-0x0000000000000000-mapping.dmp
-
memory/3900-134-0x0000000000000000-mapping.dmp
-
memory/4112-142-0x0000000000000000-mapping.dmp
-
memory/4780-139-0x0000000000000000-mapping.dmp
-
memory/4804-138-0x0000000000000000-mapping.dmp
-
memory/4808-137-0x0000000000000000-mapping.dmp
-
memory/4964-133-0x0000000000000000-mapping.dmp