Analysis
-
max time kernel
62s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-11-2022 08:45
Static task
static1
Behavioral task
behavioral1
Sample
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe
Resource
win10v2004-20221111-en
General
-
Target
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe
-
Size
328KB
-
MD5
1418bc22e59199f408628e641f1c9780
-
SHA1
78b1d9a4f475ee201a939173940c564c50e782b6
-
SHA256
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d
-
SHA512
b0b2c75cedaecd48b1d24cf8f555db9c01cc55e8236a708cb132a98407816514c1940b9502db3c1de716065561536fe8e1a42b667e20a817d8d87858314ae01d
-
SSDEEP
6144:pyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:pCemx0vN3HKGi6sYjJLUGGtedud5tr7
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exedescription ioc process File created C:\Windows\SysWOW64\drivers\3acdd81a.sys 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 912 icacls.exe 552 takeown.exe 524 icacls.exe 1164 takeown.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\3acdd81a\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\3acdd81a.sys" 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2036 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1164 takeown.exe 912 icacls.exe 552 takeown.exe 524 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Drops file in System32 directory 4 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe File created C:\Windows\SysWOW64\wshtcpip.dll 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe File created C:\Windows\SysWOW64\midimap.dll 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Modifies registry class 4 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "qsyD5yo.dll" 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe" 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exepid process 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exepid process 460 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe Token: SeTakeOwnershipPrivilege 552 takeown.exe Token: SeTakeOwnershipPrivilege 1164 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.execmd.execmd.exedescription pid process target process PID 1636 wrote to memory of 2044 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 2044 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 2044 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 2044 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 2044 wrote to memory of 552 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 552 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 552 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 552 2044 cmd.exe takeown.exe PID 2044 wrote to memory of 524 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 524 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 524 2044 cmd.exe icacls.exe PID 2044 wrote to memory of 524 2044 cmd.exe icacls.exe PID 1636 wrote to memory of 1508 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 1508 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 1508 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 1508 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1508 wrote to memory of 1164 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 1164 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 1164 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 1164 1508 cmd.exe takeown.exe PID 1508 wrote to memory of 912 1508 cmd.exe icacls.exe PID 1508 wrote to memory of 912 1508 cmd.exe icacls.exe PID 1508 wrote to memory of 912 1508 cmd.exe icacls.exe PID 1508 wrote to memory of 912 1508 cmd.exe icacls.exe PID 1636 wrote to memory of 2036 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 2036 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 2036 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe PID 1636 wrote to memory of 2036 1636 564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe"C:\Users\Admin\AppData\Local\Temp\564d4d591fbee72741120aad1d61e91afc4a7fed095b7f6acadfe254face5e3d.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:524 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:912 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
PID:2036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5b3a43b7d59456adcd5c5a485b86b1859
SHA1f93a902c2d82acb763d9b9e2e789fe4c4b7b7123
SHA2569f87f425f1801fb9d0cd988d7d4467f2ff512cc885ee08a65a33575050fc0e85
SHA5124a92cbafa5f7622d6c5ad6515f003a00af0be6a2973d81ef43847059a8e7d176c9cb2bd17a9db560b6db25f882b53e7cb7ff62d5c92fd455469c4a9d3d83545c
-
memory/524-61-0x0000000000000000-mapping.dmp
-
memory/552-60-0x0000000000000000-mapping.dmp
-
memory/912-64-0x0000000000000000-mapping.dmp
-
memory/1164-63-0x0000000000000000-mapping.dmp
-
memory/1508-62-0x0000000000000000-mapping.dmp
-
memory/1636-58-0x00000000003C0000-0x00000000003E0000-memory.dmpFilesize
128KB
-
memory/1636-57-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1636-54-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1636-56-0x00000000003C0000-0x00000000003E0000-memory.dmpFilesize
128KB
-
memory/1636-66-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/1636-55-0x0000000001000000-0x000000000116A000-memory.dmpFilesize
1.4MB
-
memory/2036-65-0x0000000000000000-mapping.dmp
-
memory/2044-59-0x0000000000000000-mapping.dmp