e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968

General

Target

e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Size

1.3MB
MD5

ef47687cddafd1fb06d3705b3409a52e
SHA1

5c3c7ed3705205c38cf2a12a1ccc9a4e394da1ee
SHA256

e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968
SHA512

b178465e17738f9489fc75bd5d5866de361bd88182bf214066884fa3e9d7a83ec40b7d4b9ba063d6668c0ae86e22d4385ad51994116c414651434a4225eb5100
SSDEEP

24576:u7Djpcup0fXIXSxJxqW6ZvNrryeq7Xr8N9bb3DFsH:uzmupI9xJEWstyewkb7ZsH

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e56ccf9.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\35bf84a2.sys e56ccf9.exe
Executes dropped EXE 3 IoCs

Processes:

e56cb44.tmpe7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exee56ccf9.exe

pid process

5012 e56cb44.tmp
4260 e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
4548 e56ccf9.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1732 takeown.exe
5056 icacls.exe
1156 takeown.exe
4676 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\35bf84a2.sys	e56ccf9.exe

pid	process
5012	e56cb44.tmp
4260	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
4548	e56ccf9.exe

pid	process
1732	takeown.exe
5056	icacls.exe
1156	takeown.exe
4676	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e56ccf9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\35bf84a2\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\35bf84a2.sys"	e56ccf9.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

5056 icacls.exe
1156 takeown.exe
4676 icacls.exe
1732 takeown.exe

pid	process
5056	icacls.exe
1156	takeown.exe
4676	icacls.exe
1732	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e56ccf9.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	e56ccf9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e56ccf9.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	e56ccf9.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e56ccf9.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e56ccf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e56ccf9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e56ccf9.exe

Drops file in System32 directory 4 IoCs

Processes:

e56ccf9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wshtcpip.dll	e56ccf9.exe
File created	C:\Windows\SysWOW64\midimap.dll	e56ccf9.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	e56ccf9.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	e56ccf9.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe

Modifies registry class 4 IoCs

Processes:

e56ccf9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	e56ccf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e56ccf9.exe"	e56ccf9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	e56ccf9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "7ywi.dll"	e56ccf9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e56ccf9.exe

pid	process
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe
4548	e56ccf9.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

e56ccf9.exe

pid process

644
4548 e56ccf9.exe

pid	process
644
4548	e56ccf9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e56ccf9.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4548	e56ccf9.exe
Token: SeTakeOwnershipPrivilege	1732	takeown.exe
Token: SeTakeOwnershipPrivilege	1156	takeown.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exee56cb44.tmpe56ccf9.execmd.execmd.exe

description	pid	process	target process
PID 4940 wrote to memory of 5012	4940	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe	e56cb44.tmp
PID 4940 wrote to memory of 5012	4940	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe	e56cb44.tmp
PID 4940 wrote to memory of 5012	4940	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe	e56cb44.tmp
PID 5012 wrote to memory of 4260	5012	e56cb44.tmp	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
PID 5012 wrote to memory of 4260	5012	e56cb44.tmp	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
PID 5012 wrote to memory of 4260	5012	e56cb44.tmp	e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
PID 5012 wrote to memory of 4548	5012	e56cb44.tmp	e56ccf9.exe
PID 5012 wrote to memory of 4548	5012	e56cb44.tmp	e56ccf9.exe
PID 5012 wrote to memory of 4548	5012	e56cb44.tmp	e56ccf9.exe
PID 4548 wrote to memory of 1380	4548	e56ccf9.exe	cmd.exe
PID 4548 wrote to memory of 1380	4548	e56ccf9.exe	cmd.exe
PID 4548 wrote to memory of 1380	4548	e56ccf9.exe	cmd.exe
PID 1380 wrote to memory of 1732	1380	cmd.exe	takeown.exe
PID 1380 wrote to memory of 1732	1380	cmd.exe	takeown.exe
PID 1380 wrote to memory of 1732	1380	cmd.exe	takeown.exe
PID 1380 wrote to memory of 5056	1380	cmd.exe	icacls.exe
PID 1380 wrote to memory of 5056	1380	cmd.exe	icacls.exe
PID 1380 wrote to memory of 5056	1380	cmd.exe	icacls.exe
PID 4548 wrote to memory of 2988	4548	e56ccf9.exe	cmd.exe
PID 4548 wrote to memory of 2988	4548	e56ccf9.exe	cmd.exe
PID 4548 wrote to memory of 2988	4548	e56ccf9.exe	cmd.exe
PID 2988 wrote to memory of 1156	2988	cmd.exe	takeown.exe
PID 2988 wrote to memory of 1156	2988	cmd.exe	takeown.exe
PID 2988 wrote to memory of 1156	2988	cmd.exe	takeown.exe
PID 2988 wrote to memory of 4676	2988	cmd.exe	icacls.exe
PID 2988 wrote to memory of 4676	2988	cmd.exe	icacls.exe
PID 2988 wrote to memory of 4676	2988	cmd.exe	icacls.exe
PID 4548 wrote to memory of 4012	4548	e56ccf9.exe	cmd.exe
PID 4548 wrote to memory of 4012	4548	e56ccf9.exe	cmd.exe
PID 4548 wrote to memory of 4012	4548	e56ccf9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
"C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\e56cb44.tmp
>C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
"C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4260

C:\Users\Admin\AppData\Local\Temp\e56ccf9.exe
"C:\Users\Admin\AppData\Local\Temp\\e56ccf9.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
4⤵
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
179B

MD5
cb27cc7bd6797efb4de0f561ab99f687

SHA1
924c22ab12c513329f37593a2856b27d06b60424

SHA256
ffa13d2c61994ecd8271fa71fc92165cdf3a89a6873558628599fcd342fe63b5

SHA512
6b349e9d0b7b264fc56a1608e98e6ee02536d56e0bbcb70e09cc18b0d1cdf6e9d0a2b73c59f0d209e054eaa87f02be70c67c425c7f35688b6fa5fea67f525c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56cb44.tmp
Filesize
1.3MB

MD5
ef47687cddafd1fb06d3705b3409a52e

SHA1
5c3c7ed3705205c38cf2a12a1ccc9a4e394da1ee

SHA256
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968

SHA512
b178465e17738f9489fc75bd5d5866de361bd88182bf214066884fa3e9d7a83ec40b7d4b9ba063d6668c0ae86e22d4385ad51994116c414651434a4225eb5100

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56cb44.tmp
Filesize
1.3MB

MD5
ef47687cddafd1fb06d3705b3409a52e

SHA1
5c3c7ed3705205c38cf2a12a1ccc9a4e394da1ee

SHA256
e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968

SHA512
b178465e17738f9489fc75bd5d5866de361bd88182bf214066884fa3e9d7a83ec40b7d4b9ba063d6668c0ae86e22d4385ad51994116c414651434a4225eb5100

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56ccf9.exe
Filesize
846KB

MD5
ba68d4c5343746d9bcf3cbadad3ba564

SHA1
3c23f9c71854c070203f45b9775b6b74d9a8658f

SHA256
63077e0732540d09c8c64c68239a213b910b2182de1d9893c51f8ef0bde5c32c

SHA512
7ee9b012c2ed8abe9be931ea9b1d927f6b9f948fe98cc3856a4a34be1fd1699bd4c47ad09694e5cdbb5c57da8f6160fcc6c6196a79c920eabc356ade4b6e90e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56ccf9.exe
Filesize
846KB

MD5
ba68d4c5343746d9bcf3cbadad3ba564

SHA1
3c23f9c71854c070203f45b9775b6b74d9a8658f

SHA256
63077e0732540d09c8c64c68239a213b910b2182de1d9893c51f8ef0bde5c32c

SHA512
7ee9b012c2ed8abe9be931ea9b1d927f6b9f948fe98cc3856a4a34be1fd1699bd4c47ad09694e5cdbb5c57da8f6160fcc6c6196a79c920eabc356ade4b6e90e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7f0a3a3553dc4eb25e9337f664d93c8fd951a328952883f10f09621a2255968.exe
Filesize
473KB

MD5
5283b78d841e568f2dcff0ccf357222e

SHA1
c47b70ed9e3838c2a18cb49f099b0b72f13c268c

SHA256
4eacb02bbf469948b82c124a1bd7b22308705c121db3016ac7b7e2abe5cef6c9

SHA512
3518f00e0f89c231249b4d99da10203dc7fb579f40267697caa1715a64dce1b814dfccdadc5f0898d6f5eb048daeef8f5435922b8e7836ac1bdaa021aaf2c912

Download Submit
memory/1156-152-0x0000000000000000-mapping.dmp

Download
memory/1380-148-0x0000000000000000-mapping.dmp

Download
memory/1732-149-0x0000000000000000-mapping.dmp

Download
memory/2988-151-0x0000000000000000-mapping.dmp

Download
memory/4012-154-0x0000000000000000-mapping.dmp

Download
memory/4260-136-0x0000000000000000-mapping.dmp

Download
memory/4260-142-0x0000000000400000-0x00000000007A1000-memory.dmp

Filesize
3.6MB

Download
memory/4260-145-0x0000000000400000-0x00000000007A1000-memory.dmp

Filesize
3.6MB

Download
memory/4548-144-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/4548-147-0x0000000000620000-0x0000000000640000-memory.dmp

Filesize
128KB

Download
memory/4548-146-0x0000000001000000-0x0000000001C57000-memory.dmp

Filesize
12.3MB

Download
memory/4548-143-0x0000000001000000-0x0000000001C57000-memory.dmp

Filesize
12.3MB

Download
memory/4548-138-0x0000000000000000-mapping.dmp

Download
memory/4548-156-0x0000000001000000-0x0000000001C57000-memory.dmp

Filesize
12.3MB

Download
memory/4676-153-0x0000000000000000-mapping.dmp

Download
memory/4940-134-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5012-132-0x0000000000000000-mapping.dmp

Download
memory/5012-141-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5056-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads