d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42

General

Target

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Size

329KB
MD5

0eb27d82d64fd4bb872dcfac524e9a40
SHA1

5994c7b5d7720ea1c832823a3513add7b496ca96
SHA256

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42
SHA512

2f8bac2a920167457c526b95085615558f272637b6a63471fb62267121b5ef35dcb77a62dd290c09168e1e52f97fcf0af081eeee5da8d5fc2f6e32c1d05a3a4f
SSDEEP

6144:oqpxvlACym6wGGWFGDwZyoJ3fzBeM6SpktqHQI6mVk8cL3/CzYjsHh:oqjvlA06wLBHAf9eMvHwmVkhL36zYwHh

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\0591a06f.sys d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4292 takeown.exe
3692 icacls.exe
232 takeown.exe
3408 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\0591a06f.sys	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

pid	process
4292	takeown.exe
3692	icacls.exe
232	takeown.exe
3408	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\0591a06f\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0591a06f.sys"	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

232 takeown.exe
3408 icacls.exe
4292 takeown.exe
3692 icacls.exe

pid	process
232	takeown.exe
3408	icacls.exe
4292	takeown.exe
3692	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Drops file in System32 directory 4 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
File created	C:\Windows\SysWOW64\midimap.dll	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Modifies registry class 4 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe"	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "Ygq.dll"	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

pid	process
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

pid process

656
4344 d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

pid	process
656
4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
Token: SeTakeOwnershipPrivilege	4292	takeown.exe
Token: SeTakeOwnershipPrivilege	232	takeown.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.execmd.execmd.exe

description	pid	process	target process
PID 4344 wrote to memory of 2648	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 4344 wrote to memory of 2648	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 4344 wrote to memory of 2648	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 2648 wrote to memory of 4292	2648	cmd.exe	takeown.exe
PID 2648 wrote to memory of 4292	2648	cmd.exe	takeown.exe
PID 2648 wrote to memory of 4292	2648	cmd.exe	takeown.exe
PID 2648 wrote to memory of 3692	2648	cmd.exe	icacls.exe
PID 2648 wrote to memory of 3692	2648	cmd.exe	icacls.exe
PID 2648 wrote to memory of 3692	2648	cmd.exe	icacls.exe
PID 4344 wrote to memory of 3376	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 4344 wrote to memory of 3376	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 4344 wrote to memory of 3376	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 3376 wrote to memory of 232	3376	cmd.exe	takeown.exe
PID 3376 wrote to memory of 232	3376	cmd.exe	takeown.exe
PID 3376 wrote to memory of 232	3376	cmd.exe	takeown.exe
PID 3376 wrote to memory of 3408	3376	cmd.exe	icacls.exe
PID 3376 wrote to memory of 3408	3376	cmd.exe	icacls.exe
PID 3376 wrote to memory of 3408	3376	cmd.exe	icacls.exe
PID 4344 wrote to memory of 2760	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 4344 wrote to memory of 2760	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe
PID 4344 wrote to memory of 2760	4344	d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe
"C:\Users\Admin\AppData\Local\Temp\d1e0edb19f1403bc6517dd472edfbb384e4546a798e8d6a8fe4a065c4b741c42.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\wshtcpip.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\midimap.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3408
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
  2⤵
  PID:2760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
181B

MD5
98d5bdb3d697126c69023a5cac9e3f74

SHA1
a1ceae4e3458ffff88322a839e65b707a65cddd4

SHA256
58da5d73c5439162a738f9435fccd61fda4551d1f1d7b159ff971d50e2a23173

SHA512
1f3751d3ffcdfeb8f910488ce569aa3ce03a6cb71a0dcc9d01fba525a4892cbb6efa3da9813e465a199581b511669fe4de5e153320253b80d97b11701d124259

Download Submit
memory/232-139-0x0000000000000000-mapping.dmp

Download
memory/2648-135-0x0000000000000000-mapping.dmp

Download
memory/2760-141-0x0000000000000000-mapping.dmp

Download
memory/3376-138-0x0000000000000000-mapping.dmp

Download
memory/3408-140-0x0000000000000000-mapping.dmp

Download
memory/3692-137-0x0000000000000000-mapping.dmp

Download
memory/4292-136-0x0000000000000000-mapping.dmp

Download
memory/4344-132-0x0000000001000000-0x0000000001168000-memory.dmp

Filesize
1.4MB

Download
memory/4344-133-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/4344-134-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/4344-142-0x0000000001000000-0x0000000001168000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads