Analysis
-
max time kernel
64s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe
Resource
win10v2004-20221111-en
General
-
Target
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe
-
Size
711KB
-
MD5
b508754cdaee0838f52c468e4550ddb3
-
SHA1
e25fc3fda3e54c39969a490223e5c01a213716bb
-
SHA256
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f
-
SHA512
1997cdb06b2b8177841d5e35ea7a4b9608de424351a2d422eaf7c46cd3cc56aa04768a1d0fc974c5b5528c02ff7ce00f8f80b8895ee9cb9986fdaca71f943f3d
-
SSDEEP
12288:1Upp2CSj/7pLL9yZmsubv4XSQDvuva8DVvy8wHkYpvQlJ8Q2lKzNc91XWFeQIZ3W:1uI7pFy49bQiQKva8Rg3yNBO5WF6ZtNm
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process File created C:\Windows\SysWOW64\drivers\015467eb.sys e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1592 takeown.exe 992 icacls.exe 596 takeown.exe 1468 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\015467eb\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\015467eb.sys" e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 304 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1592 takeown.exe 992 icacls.exe 596 takeown.exe 1468 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Drops file in System32 directory 4 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe File created C:\Windows\SysWOW64\wshtcpip.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe File created C:\Windows\SysWOW64\midimap.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Modifies registry class 4 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe" e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "7FDe.dll" e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exepid process 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exepid process 468 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Token: SeTakeOwnershipPrivilege 1592 takeown.exe Token: SeTakeOwnershipPrivilege 596 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.execmd.execmd.exedescription pid process target process PID 2024 wrote to memory of 1800 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 1800 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 1800 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 1800 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1800 wrote to memory of 1592 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 1592 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 1592 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 1592 1800 cmd.exe takeown.exe PID 1800 wrote to memory of 992 1800 cmd.exe icacls.exe PID 1800 wrote to memory of 992 1800 cmd.exe icacls.exe PID 1800 wrote to memory of 992 1800 cmd.exe icacls.exe PID 1800 wrote to memory of 992 1800 cmd.exe icacls.exe PID 2024 wrote to memory of 1620 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 1620 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 1620 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 1620 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1620 wrote to memory of 596 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 596 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 596 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 596 1620 cmd.exe takeown.exe PID 1620 wrote to memory of 1468 1620 cmd.exe icacls.exe PID 1620 wrote to memory of 1468 1620 cmd.exe icacls.exe PID 1620 wrote to memory of 1468 1620 cmd.exe icacls.exe PID 1620 wrote to memory of 1468 1620 cmd.exe icacls.exe PID 2024 wrote to memory of 304 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 304 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 304 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 2024 wrote to memory of 304 2024 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe"C:\Users\Admin\AppData\Local\Temp\e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5803f8a79ee8624dc5b48a054a09fa586
SHA12ebcc69803284d5b251a0ed3c805b96725ed8990
SHA2565a40c952f7ccf32235715e0d8c0db48e0312596375a3249c135e735bbe9ec17b
SHA51298a908eec15058fb6fa19325f86aeebbcfed3b59aecffe38f46715482771e928f936d3cec14338216465b7d60a259ed6b33d7ae8b952d5f7d753cc9b3457f5c5
-
memory/304-65-0x0000000000000000-mapping.dmp
-
memory/596-63-0x0000000000000000-mapping.dmp
-
memory/992-61-0x0000000000000000-mapping.dmp
-
memory/1468-64-0x0000000000000000-mapping.dmp
-
memory/1592-60-0x0000000000000000-mapping.dmp
-
memory/1620-62-0x0000000000000000-mapping.dmp
-
memory/1800-59-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/2024-58-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/2024-57-0x0000000001000000-0x0000000001BC4000-memory.dmpFilesize
11.8MB
-
memory/2024-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/2024-55-0x0000000001000000-0x0000000001BC4000-memory.dmpFilesize
11.8MB
-
memory/2024-67-0x0000000001000000-0x0000000001BC4000-memory.dmpFilesize
11.8MB