Analysis
-
max time kernel
159s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe
Resource
win10v2004-20221111-en
General
-
Target
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe
-
Size
711KB
-
MD5
b508754cdaee0838f52c468e4550ddb3
-
SHA1
e25fc3fda3e54c39969a490223e5c01a213716bb
-
SHA256
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f
-
SHA512
1997cdb06b2b8177841d5e35ea7a4b9608de424351a2d422eaf7c46cd3cc56aa04768a1d0fc974c5b5528c02ff7ce00f8f80b8895ee9cb9986fdaca71f943f3d
-
SSDEEP
12288:1Upp2CSj/7pLL9yZmsubv4XSQDvuva8DVvy8wHkYpvQlJ8Q2lKzNc91XWFeQIZ3W:1uI7pFy49bQiQKva8Rg3yNBO5WF6ZtNm
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process File created C:\Windows\SysWOW64\drivers\5c19acf7.sys e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4808 icacls.exe 1712 takeown.exe 2724 icacls.exe 2496 takeown.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\5c19acf7\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5c19acf7.sys" e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2496 takeown.exe 4808 icacls.exe 1712 takeown.exe 2724 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Drops file in System32 directory 4 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe File created C:\Windows\SysWOW64\wshtcpip.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe File created C:\Windows\SysWOW64\midimap.dll e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Modifies registry class 4 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "Hwjht.dll" e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe" e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exepid process 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exepid process 644 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe Token: SeTakeOwnershipPrivilege 2496 takeown.exe Token: SeTakeOwnershipPrivilege 1712 takeown.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.execmd.execmd.exedescription pid process target process PID 1672 wrote to memory of 3656 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1672 wrote to memory of 3656 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1672 wrote to memory of 3656 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 3656 wrote to memory of 2496 3656 cmd.exe takeown.exe PID 3656 wrote to memory of 2496 3656 cmd.exe takeown.exe PID 3656 wrote to memory of 2496 3656 cmd.exe takeown.exe PID 3656 wrote to memory of 4808 3656 cmd.exe icacls.exe PID 3656 wrote to memory of 4808 3656 cmd.exe icacls.exe PID 3656 wrote to memory of 4808 3656 cmd.exe icacls.exe PID 1672 wrote to memory of 1848 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1672 wrote to memory of 1848 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1672 wrote to memory of 1848 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1848 wrote to memory of 1712 1848 cmd.exe takeown.exe PID 1848 wrote to memory of 1712 1848 cmd.exe takeown.exe PID 1848 wrote to memory of 1712 1848 cmd.exe takeown.exe PID 1848 wrote to memory of 2724 1848 cmd.exe icacls.exe PID 1848 wrote to memory of 2724 1848 cmd.exe icacls.exe PID 1848 wrote to memory of 2724 1848 cmd.exe icacls.exe PID 1672 wrote to memory of 4076 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1672 wrote to memory of 4076 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe PID 1672 wrote to memory of 4076 1672 e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe"C:\Users\Admin\AppData\Local\Temp\e58825dddfed8ec5259cf20cac37dcd7444de51e2da2411e21d1b82291a91e4f.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5803f8a79ee8624dc5b48a054a09fa586
SHA12ebcc69803284d5b251a0ed3c805b96725ed8990
SHA2565a40c952f7ccf32235715e0d8c0db48e0312596375a3249c135e735bbe9ec17b
SHA51298a908eec15058fb6fa19325f86aeebbcfed3b59aecffe38f46715482771e928f936d3cec14338216465b7d60a259ed6b33d7ae8b952d5f7d753cc9b3457f5c5
-
memory/1672-132-0x0000000001000000-0x0000000001BC4000-memory.dmpFilesize
11.8MB
-
memory/1672-133-0x0000000000580000-0x00000000005A0000-memory.dmpFilesize
128KB
-
memory/1672-134-0x0000000000580000-0x00000000005A0000-memory.dmpFilesize
128KB
-
memory/1672-143-0x0000000001000000-0x0000000001BC4000-memory.dmpFilesize
11.8MB
-
memory/1712-139-0x0000000000000000-mapping.dmp
-
memory/1848-138-0x0000000000000000-mapping.dmp
-
memory/2496-136-0x0000000000000000-mapping.dmp
-
memory/2724-140-0x0000000000000000-mapping.dmp
-
memory/3656-135-0x0000000000000000-mapping.dmp
-
memory/4076-141-0x0000000000000000-mapping.dmp
-
memory/4808-137-0x0000000000000000-mapping.dmp