9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe

General

Target

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Size

328KB
MD5

06d4adf44202aac77777f20847ab1080
SHA1

6adb5f2dc258bef543668571d1009a773ebceaba
SHA256

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe
SHA512

d37481b2517480ff3b2317ee24fd55cbb2aa584121a15cb4a19525e9977195facabb6942cd6599807afea16e1bff36826302cb01e5e8e51f8bff532c1e08c5ec
SSDEEP

6144:QyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:QCemx0vN3HKGi6sYjJLUGGtedud5tr7

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\75ab7f4a.sys 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2256 takeown.exe
4880 icacls.exe
3064 takeown.exe
4440 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\75ab7f4a.sys	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

pid	process
2256	takeown.exe
4880	icacls.exe
3064	takeown.exe
4440	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\75ab7f4a\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\75ab7f4a.sys"	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4880 icacls.exe
3064 takeown.exe
4440 icacls.exe
2256 takeown.exe

pid	process
4880	icacls.exe
3064	takeown.exe
4440	icacls.exe
2256	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Drops file in System32 directory 4 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
File created	C:\Windows\SysWOW64\midimap.dll	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Modifies registry class 4 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "iBH.dll"	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe"	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

pid	process
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

pid process

656
3356 9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

pid	process
656
3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
Token: SeTakeOwnershipPrivilege	2256	takeown.exe
Token: SeTakeOwnershipPrivilege	3064	takeown.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.execmd.execmd.exe

description	pid	process	target process
PID 3356 wrote to memory of 3340	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3356 wrote to memory of 3340	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3356 wrote to memory of 3340	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3340 wrote to memory of 2256	3340	cmd.exe	takeown.exe
PID 3340 wrote to memory of 2256	3340	cmd.exe	takeown.exe
PID 3340 wrote to memory of 2256	3340	cmd.exe	takeown.exe
PID 3340 wrote to memory of 4880	3340	cmd.exe	icacls.exe
PID 3340 wrote to memory of 4880	3340	cmd.exe	icacls.exe
PID 3340 wrote to memory of 4880	3340	cmd.exe	icacls.exe
PID 3356 wrote to memory of 3476	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3356 wrote to memory of 3476	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3356 wrote to memory of 3476	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3476 wrote to memory of 3064	3476	cmd.exe	takeown.exe
PID 3476 wrote to memory of 3064	3476	cmd.exe	takeown.exe
PID 3476 wrote to memory of 3064	3476	cmd.exe	takeown.exe
PID 3476 wrote to memory of 4440	3476	cmd.exe	icacls.exe
PID 3476 wrote to memory of 4440	3476	cmd.exe	icacls.exe
PID 3476 wrote to memory of 4440	3476	cmd.exe	icacls.exe
PID 3356 wrote to memory of 1924	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3356 wrote to memory of 1924	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe
PID 3356 wrote to memory of 1924	3356	9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe
"C:\Users\Admin\AppData\Local\Temp\9c3ca058b0118a94ac81255f59d10a263e036976f3c9ae187011b41c03b2b9fe.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4880

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:1924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
55e5d590eb876b0dc367f8553b9f005a

SHA1
f5522c5195dcb4f98226a1464ee7c44d83a75b17

SHA256
a0e47b324ce32ff4e6933418bfd914c4238168a5037b72b6e2eb74d6fbe6740a

SHA512
763ea0073d0db84c0d76336b7c05f8f90411a5782f2b066bacd13cb2c9085147310a77e900807c7ddcdeea6cc4ab6ee5099471edb21bc1e802e8f2a64693a3e9

Download Submit
memory/1924-142-0x0000000000000000-mapping.dmp

Download
memory/2256-137-0x0000000000000000-mapping.dmp

Download
memory/3064-140-0x0000000000000000-mapping.dmp

Download
memory/3340-136-0x0000000000000000-mapping.dmp

Download
memory/3356-143-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/3356-133-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/3356-134-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/3356-135-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/3356-132-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/3476-139-0x0000000000000000-mapping.dmp

Download
memory/4440-141-0x0000000000000000-mapping.dmp

Download
memory/4880-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads