9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4

General

Target

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Size

671KB
MD5

409159147752686fb1474eeb48709b30
SHA1

dc4ba05e4850a223fc819634df660bb23a964d26
SHA256

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4
SHA512

51d60c770bc8e88cbdcbfb46e685fef4dbfb251f82455967f10ab421523b6bce51b7eab1a3d9fdbeaa43e6f2527b2e7433b4b13005888b03b2f5d2ed734e50f2
SSDEEP

12288:uknDOg+vAcSLbYXc3uAN72T2s8cfwN8N4UbCkO2ELN0YpUovDAXc:bDU3SLbYXc3uA92feON4iBOvLGYppbAs

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\11f4a7ee.sys 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5024 takeown.exe
4792 icacls.exe
4132 takeown.exe
3820 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\11f4a7ee.sys	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

pid	process
5024	takeown.exe
4792	icacls.exe
4132	takeown.exe
3820	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\11f4a7ee\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\11f4a7ee.sys"	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

3820 icacls.exe
5024 takeown.exe
4792 icacls.exe
4132 takeown.exe

pid	process
3820	icacls.exe
5024	takeown.exe
4792	icacls.exe
4132	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Drops file in System32 directory 5 IoCs

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wshtcpip.dll	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
File opened for modification	C:\Windows\SysWOW64\wshtcpip.dll	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
File created	C:\Windows\SysWOW64\midimap.dll	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
File created	C:\Windows\SysWOW64\reYuwdDu.dll	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
File created	C:\Windows\SysWOW64\wtylHH9f.dll	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Modifies registry class 4 IoCs

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe"	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "swwwbY.dll"	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

pid	process
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

pid process

664
3340 9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

pid	process
664
3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

takeown.exetakeown.exe9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5024	takeown.exe
Token: SeTakeOwnershipPrivilege	4132	takeown.exe
Token: SeDebugPrivilege	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.execmd.execmd.exe

description	pid	process	target process
PID 3340 wrote to memory of 3256	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3340 wrote to memory of 3256	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3340 wrote to memory of 3256	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3256 wrote to memory of 5024	3256	cmd.exe	takeown.exe
PID 3256 wrote to memory of 5024	3256	cmd.exe	takeown.exe
PID 3256 wrote to memory of 5024	3256	cmd.exe	takeown.exe
PID 3256 wrote to memory of 4792	3256	cmd.exe	icacls.exe
PID 3256 wrote to memory of 4792	3256	cmd.exe	icacls.exe
PID 3256 wrote to memory of 4792	3256	cmd.exe	icacls.exe
PID 3340 wrote to memory of 1472	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3340 wrote to memory of 1472	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3340 wrote to memory of 1472	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 1472 wrote to memory of 4132	1472	cmd.exe	takeown.exe
PID 1472 wrote to memory of 4132	1472	cmd.exe	takeown.exe
PID 1472 wrote to memory of 4132	1472	cmd.exe	takeown.exe
PID 1472 wrote to memory of 3820	1472	cmd.exe	icacls.exe
PID 1472 wrote to memory of 3820	1472	cmd.exe	icacls.exe
PID 1472 wrote to memory of 3820	1472	cmd.exe	icacls.exe
PID 3340 wrote to memory of 4476	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3340 wrote to memory of 4476	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe
PID 3340 wrote to memory of 4476	3340	9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe
"C:\Users\Admin\AppData\Local\Temp\9775c0b2b49b23f408258035aa1860df5cebacd92d3a11480f53ec92afb371f4.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:3256

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4132

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
41776175ccf4f6c1b622fd68543e2c7f

SHA1
011a104b0cbe38fc0a049b1008374e03fb00713a

SHA256
8254519ef4dc06a7ceb75505baa3b100baae313cea1d33f1d727046a711e3907

SHA512
d0ddefd292679f5d8b4d2979edcd101e8010f6eadcb009cbbcf90ba993413bac424d5a4323e4acb32f3852d3896c1c33643d5e9d7ed74cb561851ea8bbc67e68

Download Submit
memory/1472-137-0x0000000000000000-mapping.dmp

Download
memory/3256-134-0x0000000000000000-mapping.dmp

Download
memory/3340-141-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/3340-133-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/3340-143-0x0000000001000000-0x000000000177B000-memory.dmp

Filesize
7.5MB

Download
memory/3340-132-0x0000000001000000-0x000000000177B000-memory.dmp

Filesize
7.5MB

Download
memory/3340-140-0x0000000001000000-0x000000000177B000-memory.dmp

Filesize
7.5MB

Download
memory/3820-139-0x0000000000000000-mapping.dmp

Download
memory/4132-138-0x0000000000000000-mapping.dmp

Download
memory/4476-142-0x0000000000000000-mapping.dmp

Download
memory/4792-136-0x0000000000000000-mapping.dmp

Download
memory/5024-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads