57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54

General

Target

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Size

328KB
MD5

05bef863589d9acccb2f7c522b4c5b00
SHA1

e318054d17d150fa7e186aaf80e6721ed3e83e21
SHA256

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54
SHA512

291a5dd278577047ae7c2755ab14129db183763ba7f646e01b0bbdb2856a00d65bd78d62404c0504169571acc6b224009b93fa898f90dabfc8d9717013b57aae
SSDEEP

6144:eyWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:eCemx0vN3HKGi6sYjJLUGGtedud5tr7

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\1be4553f.sys 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

820 takeown.exe
3348 icacls.exe
336 takeown.exe
1920 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\1be4553f.sys	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid	process
820	takeown.exe
3348	icacls.exe
336	takeown.exe
1920	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\1be4553f\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1be4553f.sys"	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

3348 icacls.exe
336 takeown.exe
1920 icacls.exe
820 takeown.exe

pid	process
3348	icacls.exe
336	takeown.exe
1920	icacls.exe
820	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Drops file in System32 directory 4 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
File created	C:\Windows\SysWOW64\midimap.dll	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Modifies registry class 4 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "HHR9Isr7eb.dll"	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid	process
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid process

644
4944 57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

pid	process
644
4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
Token: SeTakeOwnershipPrivilege	336	takeown.exe
Token: SeTakeOwnershipPrivilege	820	takeown.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.execmd.execmd.exe

description	pid	process	target process
PID 4944 wrote to memory of 4532	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4944 wrote to memory of 4532	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4944 wrote to memory of 4532	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4532 wrote to memory of 336	4532	cmd.exe	takeown.exe
PID 4532 wrote to memory of 336	4532	cmd.exe	takeown.exe
PID 4532 wrote to memory of 336	4532	cmd.exe	takeown.exe
PID 4532 wrote to memory of 1920	4532	cmd.exe	icacls.exe
PID 4532 wrote to memory of 1920	4532	cmd.exe	icacls.exe
PID 4532 wrote to memory of 1920	4532	cmd.exe	icacls.exe
PID 4944 wrote to memory of 544	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4944 wrote to memory of 544	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4944 wrote to memory of 544	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 544 wrote to memory of 820	544	cmd.exe	takeown.exe
PID 544 wrote to memory of 820	544	cmd.exe	takeown.exe
PID 544 wrote to memory of 820	544	cmd.exe	takeown.exe
PID 544 wrote to memory of 3348	544	cmd.exe	icacls.exe
PID 544 wrote to memory of 3348	544	cmd.exe	icacls.exe
PID 544 wrote to memory of 3348	544	cmd.exe	icacls.exe
PID 4944 wrote to memory of 3848	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4944 wrote to memory of 3848	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe
PID 4944 wrote to memory of 3848	4944	57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe
"C:\Users\Admin\AppData\Local\Temp\57221a2e2f10d70b624d82a1c1b4aeeee188f885e694c972a1e361b932306c54.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:3848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
a3ed440e3ac56eca32bcf9107d1bb4c6

SHA1
2373eb0d628a3b88ab776dd17f040e0a7203fde4

SHA256
6cfe830cdf4310cce0562f2faa7b834ca569c0b1da8dc30e25cb15c5cfb55972

SHA512
45092cbca84b098ebad5ec3811db3d0926dad4770ee952e6954e8cf0cae4a3f5e63ab083addd01f50d5585b15ccc22a8cd2887b5889dd528fb9c4a6e40ba678a

Download Submit
memory/336-137-0x0000000000000000-mapping.dmp

Download
memory/544-139-0x0000000000000000-mapping.dmp

Download
memory/820-140-0x0000000000000000-mapping.dmp

Download
memory/1920-138-0x0000000000000000-mapping.dmp

Download
memory/3348-141-0x0000000000000000-mapping.dmp

Download
memory/3848-142-0x0000000000000000-mapping.dmp

Download
memory/4532-136-0x0000000000000000-mapping.dmp

Download
memory/4944-135-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download
memory/4944-134-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/4944-132-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/4944-143-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/4944-133-0x00000000004C0000-0x00000000004E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads