fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1

General

Target

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Size

328KB
MD5

14150d55a08032256b49445c6f872200
SHA1

148f1da9ea454c02c8a22e6ed304b4e1e5542b36
SHA256

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1
SHA512

b60d0b7114caec4e0d926d42fc44fa2ef68476e3c2b5e0359113b365f8e223d613c5f98c8725d26202159c66425d28cc5cbe9664ae1637eb6f503f3eab34b24e
SSDEEP

6144:5yWOeLm+tkxoGQvT+W4+HMc+MEGRQ6saHSMf3z0AzbLUG50Tpm+MmvbWdlL0d5aU:5Cemx0vN3HKGi6sYjJLUGGtedud5tr7

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\3d7e536c.sys fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1888 takeown.exe
560 icacls.exe
1616 takeown.exe
1704 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\3d7e536c.sys	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

pid	process
1888	takeown.exe
560	icacls.exe
1616	takeown.exe
1704	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\3d7e536c\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\3d7e536c.sys"	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1888 takeown.exe
560 icacls.exe
1616 takeown.exe
1704 icacls.exe

pid	process
1348	cmd.exe

pid	process
1888	takeown.exe
560	icacls.exe
1616	takeown.exe
1704	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Drops file in System32 directory 4 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
File created	C:\Windows\SysWOW64\midimap.dll	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Modifies registry class 4 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe"	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "87wJwHdJu.dll"	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

pid	process
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

pid process

460
864 fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

pid	process
460
864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
Token: SeTakeOwnershipPrivilege	1888	takeown.exe
Token: SeTakeOwnershipPrivilege	1616	takeown.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.execmd.execmd.exe

description	pid	process	target process
PID 864 wrote to memory of 1212	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1212	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1212	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1212	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 1212 wrote to memory of 1888	1212	cmd.exe	takeown.exe
PID 1212 wrote to memory of 1888	1212	cmd.exe	takeown.exe
PID 1212 wrote to memory of 1888	1212	cmd.exe	takeown.exe
PID 1212 wrote to memory of 1888	1212	cmd.exe	takeown.exe
PID 1212 wrote to memory of 560	1212	cmd.exe	icacls.exe
PID 1212 wrote to memory of 560	1212	cmd.exe	icacls.exe
PID 1212 wrote to memory of 560	1212	cmd.exe	icacls.exe
PID 1212 wrote to memory of 560	1212	cmd.exe	icacls.exe
PID 864 wrote to memory of 1072	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1072	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1072	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1072	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 1072 wrote to memory of 1616	1072	cmd.exe	takeown.exe
PID 1072 wrote to memory of 1616	1072	cmd.exe	takeown.exe
PID 1072 wrote to memory of 1616	1072	cmd.exe	takeown.exe
PID 1072 wrote to memory of 1616	1072	cmd.exe	takeown.exe
PID 1072 wrote to memory of 1704	1072	cmd.exe	icacls.exe
PID 1072 wrote to memory of 1704	1072	cmd.exe	icacls.exe
PID 1072 wrote to memory of 1704	1072	cmd.exe	icacls.exe
PID 1072 wrote to memory of 1704	1072	cmd.exe	icacls.exe
PID 864 wrote to memory of 1348	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1348	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1348	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe
PID 864 wrote to memory of 1348	864	fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe
"C:\Users\Admin\AppData\Local\Temp\fc28ac74597c6c4843a38e7acec05f6fce35d62bb8b90375a1de943965c964f1.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1704

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
- Deletes itself
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
f49cbdbdf24952b5791e540449ba0b48

SHA1
44bf35fd98c0b093e99229ff25e5560055b35bb9

SHA256
9b2fdfed74c7ad77671bcd3bda11715d0b81ff7701985c9998b0a3d39a87cc7a

SHA512
43b435082d49dafb176a8de3c0e7a8c7c41ec47b460d819d89452ab2474203cad3064a58b25696a4cc252dc5d8b25cfd4ae9d39b6793783b1a13def90ab07c8d

Download Submit
memory/560-59-0x0000000000000000-mapping.dmp

Download
memory/864-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/864-55-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/864-56-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/864-64-0x0000000001000000-0x000000000116A000-memory.dmp

Filesize
1.4MB

Download
memory/1072-60-0x0000000000000000-mapping.dmp

Download
memory/1212-57-0x0000000000000000-mapping.dmp

Download
memory/1348-63-0x0000000000000000-mapping.dmp

Download
memory/1616-61-0x0000000000000000-mapping.dmp

Download
memory/1704-62-0x0000000000000000-mapping.dmp

Download
memory/1888-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads