57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54

General

Target

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Size

328KB
MD5

05bef863589d9acccb2f7c522b4c5b00
SHA1

e318054d17d150fa7e186aaf80e6721ed3e83e21
SHA256

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54
SHA512

291a5dd278577047ae7c2755ab14129db183763ba7f646e01b0bbdb2856a00d65bd78d62404c0504169571acc6b224009b93fa898f90dabfc8d9717013b57aae
SSDEEP

6144:eyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:eCemx0vN3HKGi6sYjJLUGGtedud5tr7

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\1953c549.sys 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1784 takeown.exe
1208 icacls.exe
1988 takeown.exe
1640 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\1953c549.sys	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid	process
1784	takeown.exe
1208	icacls.exe
1988	takeown.exe
1640	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1953c549\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1953c549.sys"	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1740 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1784 takeown.exe
1208 icacls.exe
1988 takeown.exe
1640 icacls.exe

pid	process
1740	cmd.exe

pid	process
1784	takeown.exe
1208	icacls.exe
1988	takeown.exe
1640	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Drops file in System32 directory 4 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
File created	C:\Windows\SysWOW64\midimap.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Modifies registry class 4 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "Vsi.dll"	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid	process
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid process

464
1592 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid	process
464
1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Token: SeTakeOwnershipPrivilege	1784	takeown.exe
Token: SeTakeOwnershipPrivilege	1988	takeown.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.execmd.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 1700	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1700	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1700	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1700	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1700 wrote to memory of 1784	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1784	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1784	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1784	1700	cmd.exe	takeown.exe
PID 1700 wrote to memory of 1208	1700	cmd.exe	icacls.exe
PID 1700 wrote to memory of 1208	1700	cmd.exe	icacls.exe
PID 1700 wrote to memory of 1208	1700	cmd.exe	icacls.exe
PID 1700 wrote to memory of 1208	1700	cmd.exe	icacls.exe
PID 1592 wrote to memory of 1736	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1736	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1736	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1736	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1736 wrote to memory of 1988	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1988	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1988	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1988	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	icacls.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	icacls.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	icacls.exe
PID 1736 wrote to memory of 1640	1736	cmd.exe	icacls.exe
PID 1592 wrote to memory of 1740	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1740	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1740	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 1592 wrote to memory of 1740	1592	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
"C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1640

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
- Deletes itself
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
a3ed440e3ac56eca32bcf9107d1bb4c6

SHA1
2373eb0d628a3b88ab776dd17f040e0a7203fde4

SHA256
6cfe830cdf4310cce0562f2faa7b834ca569c0b1da8dc30e25cb15c5cfb55972

SHA512
45092cbca84b098ebad5ec3811db3d0926dad4770ee952e6954e8cf0cae4a3f5e63ab083addd01f50d5585b15ccc22a8cd2887b5889dd528fb9c4a6e40ba678a

Download Submit
memory/1208-61-0x0000000000000000-mapping.dmp

Download
memory/1592-66-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1592-55-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1592-56-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/1592-57-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1592-58-0x00000000002B0000-0x00000000002D0000-memory.dmp

Filesize
128KB

Download
memory/1592-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1640-64-0x0000000000000000-mapping.dmp

Download
memory/1700-59-0x0000000000000000-mapping.dmp

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1740-65-0x0000000000000000-mapping.dmp

Download
memory/1784-60-0x0000000000000000-mapping.dmp

Download
memory/1988-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads