220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318

General

Target

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Size

663KB
MD5

63ac37f23344ad69ab9afbf47b2aa5c0
SHA1

ae22db3f182f5a83e10a51d53818c793eac5321f
SHA256

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318
SHA512

07a52a91b7a64445135bafe3233ad19134f9682acd0394b7ce0397e3bd8cd035b04e8e4a759604282aca04f73996627d0cce854fab222e48183ee2a50911cb64
SSDEEP

12288:3dceDjsrqQW9kh9Kq1mfuN/eMldtAd1D9A3uqse4wLESEoZBI:3dce+9KqYfm/eqd6D9MuqmIEXo4

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\0139b6aa.sys 220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

4912 icacls.exe
4888 takeown.exe
4088 takeown.exe
1212 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\0139b6aa.sys	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
4912	icacls.exe
4888	takeown.exe
4088	takeown.exe
1212	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\0139b6aa\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0139b6aa.sys"	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

4088 takeown.exe
1212 icacls.exe
4912 icacls.exe
4888 takeown.exe

pid	process
4088	takeown.exe
1212	icacls.exe
4912	icacls.exe
4888	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Drops file in System32 directory 5 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wshtcpip.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File opened for modification	C:\Windows\SysWOW64\wshtcpip.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File created	C:\Windows\SysWOW64\midimap.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File created	C:\Windows\SysWOW64\GhisduwH.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
File created	C:\Windows\SysWOW64\ufeUUeUr.dll	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Modifies registry class 4 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "1Fsuj7efss.dll"	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe"	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid process

668
1896 220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

pid	process
668
1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

takeown.exetakeown.exe220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4088	takeown.exe
Token: SeTakeOwnershipPrivilege	4888	takeown.exe
Token: SeDebugPrivilege	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.execmd.execmd.exe

description	pid	process	target process
PID 1896 wrote to memory of 8	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1896 wrote to memory of 8	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1896 wrote to memory of 8	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 8 wrote to memory of 4088	8	cmd.exe	takeown.exe
PID 8 wrote to memory of 4088	8	cmd.exe	takeown.exe
PID 8 wrote to memory of 4088	8	cmd.exe	takeown.exe
PID 8 wrote to memory of 1212	8	cmd.exe	icacls.exe
PID 8 wrote to memory of 1212	8	cmd.exe	icacls.exe
PID 8 wrote to memory of 1212	8	cmd.exe	icacls.exe
PID 1896 wrote to memory of 860	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1896 wrote to memory of 860	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1896 wrote to memory of 860	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 860 wrote to memory of 4888	860	cmd.exe	takeown.exe
PID 860 wrote to memory of 4888	860	cmd.exe	takeown.exe
PID 860 wrote to memory of 4888	860	cmd.exe	takeown.exe
PID 860 wrote to memory of 4912	860	cmd.exe	icacls.exe
PID 860 wrote to memory of 4912	860	cmd.exe	icacls.exe
PID 860 wrote to memory of 4912	860	cmd.exe	icacls.exe
PID 1896 wrote to memory of 1740	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1896 wrote to memory of 1740	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe
PID 1896 wrote to memory of 1740	1896	220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe
"C:\Users\Admin\AppData\Local\Temp\220238dd91f184fede5b90f492ea457e02b3de6b98bf45e9b9cf34aee3005318.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4912

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
bc980698d2b295eda9ea0e99e05f4603

SHA1
f95514ec59d7fa1c1319f208c98d8c59ad834acd

SHA256
e6f3a5bf2ed9139d959f6f522c1abce56011b2fc6117b1a52cc498316e412821

SHA512
8ab18ba612fb655c388186cace3d6468d74b12cf4693154f4966512d823bc8a478a74bae8eaf26b00ba9c3ceb511cb59292bb279e305794abac26ba4e76b0e70

Download Submit
memory/8-134-0x0000000000000000-mapping.dmp

Download
memory/860-137-0x0000000000000000-mapping.dmp

Download
memory/1212-136-0x0000000000000000-mapping.dmp

Download
memory/1740-142-0x0000000000000000-mapping.dmp

Download
memory/1896-133-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/1896-132-0x0000000001000000-0x0000000001779000-memory.dmp

Filesize
7.5MB

Download
memory/1896-144-0x0000000001000000-0x0000000001779000-memory.dmp

Filesize
7.5MB

Download
memory/1896-140-0x0000000001000000-0x0000000001779000-memory.dmp

Filesize
7.5MB

Download
memory/1896-141-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/4088-135-0x0000000000000000-mapping.dmp

Download
memory/4888-138-0x0000000000000000-mapping.dmp

Download
memory/4912-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads