Analysis
-
max time kernel
149s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:44
Static task
static1
Behavioral task
behavioral1
Sample
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
Resource
win7-20221111-en
General
-
Target
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
-
Size
1.6MB
-
MD5
f693274485f1ef10524eaee98f7d6a4b
-
SHA1
bd6a49605d9e71c97bacff6e3efadc1ef03f9320
-
SHA256
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1
-
SHA512
d810dfebebb55f3632f8ccb47c843c5ffa869a994ceb34d69673835da921f3a45161fde38d978180c8c12300bc25e27b4469427aebaee22b4a6e31978a650bc2
-
SSDEEP
49152:O89RVp7kcF1FgcY9XTxIplFX4xddcjkX3zRvioUikp9Q:O89RX7rFva9XTAFyMQRvtr
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
e57bf29.exedescription ioc process File created C:\Windows\SysWOW64\drivers\4150c668.sys e57bf29.exe -
Executes dropped EXE 3 IoCs
Processes:
e57be10.tmpdc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exee57bf29.exepid process 3904 e57be10.tmp 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe 3852 e57bf29.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3516 takeown.exe 748 icacls.exe 3056 takeown.exe 2912 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
e57bf29.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4150c668\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\4150c668.sys" e57bf29.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe upx behavioral2/memory/3756-140-0x0000000000400000-0x0000000000806000-memory.dmp upx behavioral2/memory/3756-148-0x0000000000400000-0x0000000000806000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 3516 takeown.exe 748 icacls.exe 3056 takeown.exe 2912 icacls.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
e57bf29.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} e57bf29.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} e57bf29.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects e57bf29.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
e57bf29.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e57bf29.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum e57bf29.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum e57bf29.exe -
Drops file in System32 directory 4 IoCs
Processes:
e57bf29.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll e57bf29.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll e57bf29.exe File created C:\Windows\SysWOW64\wshtcpip.dll e57bf29.exe File created C:\Windows\SysWOW64\midimap.dll e57bf29.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 4 IoCs
Processes:
e57bf29.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID e57bf29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e57bf29.exe" e57bf29.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL e57bf29.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "R2uH.dll" e57bf29.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e57bf29.exepid process 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe 3852 e57bf29.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
e57bf29.exepid process 644 3852 e57bf29.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e57bf29.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 3852 e57bf29.exe Token: SeTakeOwnershipPrivilege 3516 takeown.exe Token: SeTakeOwnershipPrivilege 3056 takeown.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exepid process 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exee57be10.tmpdc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exee57bf29.execmd.execmd.exedescription pid process target process PID 4068 wrote to memory of 3904 4068 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe e57be10.tmp PID 4068 wrote to memory of 3904 4068 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe e57be10.tmp PID 4068 wrote to memory of 3904 4068 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe e57be10.tmp PID 3904 wrote to memory of 3756 3904 e57be10.tmp dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe PID 3904 wrote to memory of 3756 3904 e57be10.tmp dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe PID 3904 wrote to memory of 3756 3904 e57be10.tmp dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe PID 3904 wrote to memory of 3852 3904 e57be10.tmp e57bf29.exe PID 3904 wrote to memory of 3852 3904 e57be10.tmp e57bf29.exe PID 3904 wrote to memory of 3852 3904 e57be10.tmp e57bf29.exe PID 3756 wrote to memory of 1268 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe schtasks.exe PID 3756 wrote to memory of 1268 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe schtasks.exe PID 3756 wrote to memory of 1268 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe schtasks.exe PID 3756 wrote to memory of 1136 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe schtasks.exe PID 3756 wrote to memory of 1136 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe schtasks.exe PID 3756 wrote to memory of 1136 3756 dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe schtasks.exe PID 3852 wrote to memory of 2056 3852 e57bf29.exe cmd.exe PID 3852 wrote to memory of 2056 3852 e57bf29.exe cmd.exe PID 3852 wrote to memory of 2056 3852 e57bf29.exe cmd.exe PID 2056 wrote to memory of 3516 2056 cmd.exe takeown.exe PID 2056 wrote to memory of 3516 2056 cmd.exe takeown.exe PID 2056 wrote to memory of 3516 2056 cmd.exe takeown.exe PID 2056 wrote to memory of 748 2056 cmd.exe icacls.exe PID 2056 wrote to memory of 748 2056 cmd.exe icacls.exe PID 2056 wrote to memory of 748 2056 cmd.exe icacls.exe PID 3852 wrote to memory of 2236 3852 e57bf29.exe cmd.exe PID 3852 wrote to memory of 2236 3852 e57bf29.exe cmd.exe PID 3852 wrote to memory of 2236 3852 e57bf29.exe cmd.exe PID 2236 wrote to memory of 3056 2236 cmd.exe takeown.exe PID 2236 wrote to memory of 3056 2236 cmd.exe takeown.exe PID 2236 wrote to memory of 3056 2236 cmd.exe takeown.exe PID 2236 wrote to memory of 2912 2236 cmd.exe icacls.exe PID 2236 wrote to memory of 2912 2236 cmd.exe icacls.exe PID 2236 wrote to memory of 2912 2236 cmd.exe icacls.exe PID 3852 wrote to memory of 4972 3852 e57bf29.exe cmd.exe PID 3852 wrote to memory of 4972 3852 e57bf29.exe cmd.exe PID 3852 wrote to memory of 4972 3852 e57bf29.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e57be10.tmp>C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /query /tn PCYac4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn PCYac /tr "\"C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"" /f /sc onlogon /rl highest4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\e57bf29.exe"C:\Users\Admin\AppData\Local\Temp\\e57bf29.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
179B
MD507b1b42e6384a59d9f2f3a7c893545fe
SHA19eef0a185b7178f4533ee7c715bbb0c11b7cccf7
SHA2568637b71f262ebbe657e7644bbd00595e5bdfd5235775fd50b1fd9ae45ead31d8
SHA5122a5ace1ea06ff303f0850a1ac0383f0baf653425de8827cdae6f22e0e6db1978a98729bf4d3eb1a3d4f81b65a9eacfa4b888e817845fd1e8c2b3f5cb4685f814
-
C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exeFilesize
884KB
MD561b8a7d26292c0a5f7f882b5cedb8816
SHA114665cd44b2804172f46a0d1375c88959f72d797
SHA2564a881ab330b90c611601b2b92173c201aeb036546d042421df77d9e713c1a767
SHA512bda52e47b18376f7c577cd8a874da84809bdb504739fdd56ee40b92eae738c8dc54cc73243982a1104e324792d9abe1349123e2f5ffa6250a6388f81f131d62e
-
C:\Users\Admin\AppData\Local\Temp\e57be10.tmpFilesize
1.6MB
MD5f693274485f1ef10524eaee98f7d6a4b
SHA1bd6a49605d9e71c97bacff6e3efadc1ef03f9320
SHA256dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1
SHA512d810dfebebb55f3632f8ccb47c843c5ffa869a994ceb34d69673835da921f3a45161fde38d978180c8c12300bc25e27b4469427aebaee22b4a6e31978a650bc2
-
C:\Users\Admin\AppData\Local\Temp\e57be10.tmpFilesize
1.6MB
MD5f693274485f1ef10524eaee98f7d6a4b
SHA1bd6a49605d9e71c97bacff6e3efadc1ef03f9320
SHA256dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1
SHA512d810dfebebb55f3632f8ccb47c843c5ffa869a994ceb34d69673835da921f3a45161fde38d978180c8c12300bc25e27b4469427aebaee22b4a6e31978a650bc2
-
C:\Users\Admin\AppData\Local\Temp\e57bf29.exeFilesize
716KB
MD57c565c9eebdd01bc69cb63dcca072fd0
SHA168e846eae6c1c2d618898b9f6e90e068dd881aa1
SHA2560eef7da0777dd1f80375f64a2a422c91633242905567cc4bbf4869aa7507be2a
SHA5127b113df19012d979cfac521ddae8125687bb1a9548614fb3a77db6ab3e6a453ff3dfd6bbee88e8befd51d4dc2f893233e42221bb2238bd3da2b54c7d25a5cdfb
-
C:\Users\Admin\AppData\Local\Temp\e57bf29.exeFilesize
716KB
MD57c565c9eebdd01bc69cb63dcca072fd0
SHA168e846eae6c1c2d618898b9f6e90e068dd881aa1
SHA2560eef7da0777dd1f80375f64a2a422c91633242905567cc4bbf4869aa7507be2a
SHA5127b113df19012d979cfac521ddae8125687bb1a9548614fb3a77db6ab3e6a453ff3dfd6bbee88e8befd51d4dc2f893233e42221bb2238bd3da2b54c7d25a5cdfb
-
memory/748-152-0x0000000000000000-mapping.dmp
-
memory/1136-147-0x0000000000000000-mapping.dmp
-
memory/1268-146-0x0000000000000000-mapping.dmp
-
memory/2056-150-0x0000000000000000-mapping.dmp
-
memory/2236-153-0x0000000000000000-mapping.dmp
-
memory/2912-155-0x0000000000000000-mapping.dmp
-
memory/3056-154-0x0000000000000000-mapping.dmp
-
memory/3516-151-0x0000000000000000-mapping.dmp
-
memory/3756-140-0x0000000000400000-0x0000000000806000-memory.dmpFilesize
4.0MB
-
memory/3756-137-0x0000000000000000-mapping.dmp
-
memory/3756-148-0x0000000000400000-0x0000000000806000-memory.dmpFilesize
4.0MB
-
memory/3852-139-0x0000000000000000-mapping.dmp
-
memory/3852-149-0x0000000001000000-0x0000000001BC7000-memory.dmpFilesize
11.8MB
-
memory/3852-144-0x0000000000430000-0x0000000000450000-memory.dmpFilesize
128KB
-
memory/3852-145-0x0000000001000000-0x0000000001BC7000-memory.dmpFilesize
11.8MB
-
memory/3852-157-0x0000000001000000-0x0000000001BC7000-memory.dmpFilesize
11.8MB
-
memory/3904-143-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3904-133-0x0000000000000000-mapping.dmp
-
memory/4068-132-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4068-136-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4972-156-0x0000000000000000-mapping.dmp