Analysis
-
max time kernel
73s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 17:29
Static task
static1
Behavioral task
behavioral1
Sample
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe
Resource
win10v2004-20221111-en
General
-
Target
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe
-
Size
810KB
-
MD5
81832cf9fd9df3401e4675b5559a87af
-
SHA1
e06c795398f46b5b6bca7e236de9a1019e0afce1
-
SHA256
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c
-
SHA512
c052ec30ac6cf2ff5208f64fd41bc7d908ecc6f720d7d074b2ab08aac7e6e207dad5f142ddf0a6e5dcd1549167d7a7a0e96ea36d6f2248f103da71cc56ffed61
-
SSDEEP
12288:uhi+coBfeept/5gxDHd71fIRbSisRNdHxYYtsSPXOsavTUst01AatM:W7t6xDHl1fIfaYR8XOs4TUodae
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exedescription ioc process File created C:\Windows\SysWOW64\drivers\78464ee4.sys 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1812 takeown.exe 1788 icacls.exe 916 takeown.exe 1832 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\78464ee4\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\78464ee4.sys" 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1080 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1788 icacls.exe 916 takeown.exe 1832 icacls.exe 1812 takeown.exe -
Installs/modifies Browser Helper Object 2 TTPs 4 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Drops file in System32 directory 4 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exedescription ioc process File created C:\Windows\SysWOW64\ws2tcpip.dll 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe File opened for modification C:\Windows\SysWOW64\ws2tcpip.dll 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe File created C:\Windows\SysWOW64\wshtcpip.dll 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe File created C:\Windows\SysWOW64\midimap.dll 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Modifies registry class 4 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe" 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "GuJ7kaGH.dll" 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exepid process 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exepid process 460 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe Token: SeTakeOwnershipPrivilege 1812 takeown.exe Token: SeTakeOwnershipPrivilege 916 takeown.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.execmd.execmd.exedescription pid process target process PID 1424 wrote to memory of 1776 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 1776 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 1776 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 1776 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1776 wrote to memory of 1812 1776 cmd.exe takeown.exe PID 1776 wrote to memory of 1812 1776 cmd.exe takeown.exe PID 1776 wrote to memory of 1812 1776 cmd.exe takeown.exe PID 1776 wrote to memory of 1812 1776 cmd.exe takeown.exe PID 1776 wrote to memory of 1788 1776 cmd.exe icacls.exe PID 1776 wrote to memory of 1788 1776 cmd.exe icacls.exe PID 1776 wrote to memory of 1788 1776 cmd.exe icacls.exe PID 1776 wrote to memory of 1788 1776 cmd.exe icacls.exe PID 1424 wrote to memory of 568 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 568 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 568 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 568 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 568 wrote to memory of 916 568 cmd.exe takeown.exe PID 568 wrote to memory of 916 568 cmd.exe takeown.exe PID 568 wrote to memory of 916 568 cmd.exe takeown.exe PID 568 wrote to memory of 916 568 cmd.exe takeown.exe PID 568 wrote to memory of 1832 568 cmd.exe icacls.exe PID 568 wrote to memory of 1832 568 cmd.exe icacls.exe PID 568 wrote to memory of 1832 568 cmd.exe icacls.exe PID 568 wrote to memory of 1832 568 cmd.exe icacls.exe PID 1424 wrote to memory of 1080 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 1080 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 1080 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe PID 1424 wrote to memory of 1080 1424 38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe"C:\Users\Admin\AppData\Local\Temp\38f33f765cac401b12ed8b67616bf725273a576952b0dd849ef1142dfff7416c.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\wshtcpip.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1812 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1788 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F2⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\SysWOW64\midimap.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1832 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat2⤵
- Deletes itself
PID:1080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ahnmove.batFilesize
181B
MD5934af5dc36cb14002859f3d779a91c3a
SHA18228ba4a3b745eb617fe8ceaca83261c48b11358
SHA25606e7a326b863a2ab02f0758430d4cd45a074221b1f21e21f558d43f81158c14b
SHA51248543c1e6437245ea8105ed17539e4126f963d86e51478c88cdd6938b6d0fbed9d9f9d5a1195310fbf30c4d6a226c98f71f5affae32c4cf4b7f6f425be0391e9
-
memory/568-62-0x0000000000000000-mapping.dmp
-
memory/916-63-0x0000000000000000-mapping.dmp
-
memory/1080-65-0x0000000000000000-mapping.dmp
-
memory/1424-57-0x0000000001000000-0x0000000001BDF000-memory.dmpFilesize
11.9MB
-
memory/1424-58-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1424-56-0x0000000000220000-0x0000000000240000-memory.dmpFilesize
128KB
-
memory/1424-55-0x0000000001000000-0x0000000001BDF000-memory.dmpFilesize
11.9MB
-
memory/1424-67-0x0000000001000000-0x0000000001BDF000-memory.dmpFilesize
11.9MB
-
memory/1776-59-0x0000000000000000-mapping.dmp
-
memory/1788-61-0x0000000000000000-mapping.dmp
-
memory/1812-60-0x0000000000000000-mapping.dmp
-
memory/1832-64-0x0000000000000000-mapping.dmp