9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010

Analysis

max time kernel
181s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Size

7.3MB
MD5

143c15a2ba9c22ae8921c9f1fb8ce6e9
SHA1

4fe8ef861ed7db94a31055925c360c4df867b67b
SHA256

9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010
SHA512

9db1c7bbf30d187e7d392136e4f5042dedcace03a6cf9c8831d35c4bcf5eb390bb6620393d1d6f7440b589c8d8e9b3308ec80c749f11c46736ed6869a0efda7a
SSDEEP

196608:jpH+uOPAWzLCZ6pxqWKZUNe0HaOUTIl1sYzZ:dkAAYMxqiNfuAsS

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

e57aa69.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\272a847b.sys e57aa69.exe
File created C:\Windows\SysWOW64\drivers\5b81b1fd.sys e57aa69.exe
Executes dropped EXE 4 IoCs

Processes:

e57a613.tmp9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exee57aa69.exeLottoSearch.exe

pid process

308 e57a613.tmp
3892 9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
4196 e57aa69.exe
2440 LottoSearch.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

3572 takeown.exe
916 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\272a847b.sys	e57aa69.exe
File created	C:\Windows\SysWOW64\drivers\5b81b1fd.sys	e57aa69.exe

pid	process
308	e57a613.tmp
3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
4196	e57aa69.exe
2440	LottoSearch.exe

pid	process
3572	takeown.exe
916	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e57aa69.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\272a847b\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\272a847b.sys"	e57aa69.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\5b81b1fd\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5b81b1fd.sys"	e57aa69.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\e57aa69.exe	upx
C:\Users\Admin\AppData\Local\Temp\e57aa69.exe	upx
behavioral2/memory/4196-143-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/4196-151-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/4196-162-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe

pid	process
3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

3572 takeown.exe
916 icacls.exe

pid	process
3572	takeown.exe
916	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e57aa69.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	e57aa69.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	e57aa69.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e57aa69.exe

Drops file in System32 directory 7 IoCs

Processes:

e57aa69.exe9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe

description	ioc	process
File created	C:\Windows\SysWOW64\goodsb.dll	e57aa69.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	e57aa69.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	e57aa69.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	e57aa69.exe
File created	C:\Windows\SysWOW64\ieframe.dll	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Windows\SysWOW64\FPSPR70.ocx	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	e57aa69.exe

Drops file in Program Files directory 9 IoCs

Processes:

9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\JJANGLotto\JJANGLotto.url	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\Lotto.exe	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\Lotto.INI	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\LottoAD.INI	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\img\NoticeBg.png	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\LottoSearch.exe	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\img\Bottom.png	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\img\Check.png	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
File created	C:\Program Files (x86)\JJANGLotto\img\Uncheck.png	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	nsis_installer_2

Modifies registry class 64 IoCs

Processes:

9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exee57aa69.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FPSpreadADO.fpSpread.5\CLSID	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\MiscStatus\ = "0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C27-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}\ = "_DSpreadPreviewEvents"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\ProgID\ = "FPSpreadADO.fpSpread.5"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}\TypeLib\ = "{F856EC8B-F03C-4515-BDC6-64CBD617566A}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\Version	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C27-4993-11D1-8905-0020AF131A57}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146832-020D-4D16-80FD-6ACE384B66DF}\TypeLib\Version = "7.0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7114683E-020D-4D16-80FD-6ACE384B66DF}\TypeLib\ = "{F856EC8B-F03C-4515-BDC6-64CBD617566A}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\InprocServer32\ = "C:\\Windows\\SysWow64\\FPSPR70.ocx"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\MiscStatus\1\ = "131473"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\Implemented Categories	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F856EC8B-F03C-4515-BDC6-64CBD617566A}\7.0\0\win32\ = "C:\\Windows\\SysWow64\\FPSPR70.ocx"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146832-020D-4D16-80FD-6ACE384B66DF}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146836-020D-4D16-80FD-6ACE384B66DF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7114683E-020D-4D16-80FD-6ACE384B66DF}\TypeLib\Version = "7.0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\Version\ = "7.0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\ = "IfpDataObjectFiles"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7114683E-020D-4D16-80FD-6ACE384B66DF}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}\TypeLib\Version = "7.0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\MiscStatus\ = "0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C27-4993-11D1-8905-0020AF131A57}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C27-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146836-020D-4D16-80FD-6ACE384B66DF}\TypeLib\Version = "7.0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\FPSPR70.ocx, 1"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146836-020D-4D16-80FD-6ACE384B66DF}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\ToolboxBitmap32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PVADO.PvCtrl.4\CLSID\ = "{71146846-020D-4D16-80FD-6ACE384B66DF}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "iY2.dll"	e57aa69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146832-020D-4D16-80FD-6ACE384B66DF}\ = "_DSpreadSheet"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146832-020D-4D16-80FD-6ACE384B66DF}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PVADO.PvCtrl.4\CLSID	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}\ProxyStubClsid32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\ = "IfpDataObjectFiles"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146832-020D-4D16-80FD-6ACE384B66DF}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7114683E-020D-4D16-80FD-6ACE384B66DF}\ProxyStubClsid32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146836-020D-4D16-80FD-6ACE384B66DF}\ = "_DSpreadEvents"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7114683E-020D-4D16-80FD-6ACE384B66DF}\ProxyStubClsid32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FPSpreadADO.fpSpread.5	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\ = "FarPoint Spread Preview 7.0 (OLEDB)"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146842-020D-4D16-80FD-6ACE384B66DF}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\InprocServer32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\MiscStatus\1	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71146836-020D-4D16-80FD-6ACE384B66DF}\TypeLib\ = "{F856EC8B-F03C-4515-BDC6-64CBD617566A}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71146846-020D-4D16-80FD-6ACE384B66DF}\InprocServer32\ThreadingModel = "Apartment"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C25-4993-11D1-8905-0020AF131A57}\TypeLib\Version = "7.0"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{69310C27-4993-11D1-8905-0020AF131A57}\ProxyStubClsid32	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71146836-020D-4D16-80FD-6ACE384B66DF}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PVADO.PvCtrl.4\ = "FarPoint Spread Preview 7.0 (OLEDB)"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C25-4993-11D1-8905-0020AF131A57}	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FPSpreadADO.fpSpread.5\CLSID\ = "{7114683A-020D-4D16-80FD-6ACE384B66DF}"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7114683A-020D-4D16-80FD-6ACE384B66DF}\InprocServer32\ThreadingModel = "Apartment"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F856EC8B-F03C-4515-BDC6-64CBD617566A}\7.0\FLAGS\ = "2"	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{69310C27-4993-11D1-8905-0020AF131A57}\TypeLib	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e57aa69.exe

pid	process
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe
4196	e57aa69.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

e57aa69.exe

pid process

660
4196 e57aa69.exe
660
4196 e57aa69.exe
4196 e57aa69.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e57aa69.exetakeown.exe

description pid process

Token: SeDebugPrivilege 4196 e57aa69.exe
Token: SeTakeOwnershipPrivilege 3572 takeown.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LottoSearch.exe

pid process

2440 LottoSearch.exe

pid	process
660
4196	e57aa69.exe
660
4196	e57aa69.exe
4196	e57aa69.exe

description	pid	process
Token: SeDebugPrivilege	4196	e57aa69.exe
Token: SeTakeOwnershipPrivilege	3572	takeown.exe

pid	process
2440	LottoSearch.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exee57a613.tmp9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exee57aa69.execmd.exe

description	pid	process	target process
PID 3084 wrote to memory of 308	3084	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	e57a613.tmp
PID 3084 wrote to memory of 308	3084	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	e57a613.tmp
PID 3084 wrote to memory of 308	3084	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	e57a613.tmp
PID 308 wrote to memory of 3892	308	e57a613.tmp	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
PID 308 wrote to memory of 3892	308	e57a613.tmp	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
PID 308 wrote to memory of 3892	308	e57a613.tmp	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
PID 308 wrote to memory of 4196	308	e57a613.tmp	e57aa69.exe
PID 308 wrote to memory of 4196	308	e57a613.tmp	e57aa69.exe
PID 308 wrote to memory of 4196	308	e57a613.tmp	e57aa69.exe
PID 3892 wrote to memory of 2440	3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	LottoSearch.exe
PID 3892 wrote to memory of 2440	3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	LottoSearch.exe
PID 3892 wrote to memory of 2440	3892	9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe	LottoSearch.exe
PID 4196 wrote to memory of 1528	4196	e57aa69.exe	cmd.exe
PID 4196 wrote to memory of 1528	4196	e57aa69.exe	cmd.exe
PID 4196 wrote to memory of 1528	4196	e57aa69.exe	cmd.exe
PID 1528 wrote to memory of 3572	1528	cmd.exe	takeown.exe
PID 1528 wrote to memory of 3572	1528	cmd.exe	takeown.exe
PID 1528 wrote to memory of 3572	1528	cmd.exe	takeown.exe
PID 1528 wrote to memory of 916	1528	cmd.exe	icacls.exe
PID 1528 wrote to memory of 916	1528	cmd.exe	icacls.exe
PID 1528 wrote to memory of 916	1528	cmd.exe	icacls.exe
PID 4196 wrote to memory of 988	4196	e57aa69.exe	cmd.exe
PID 4196 wrote to memory of 988	4196	e57aa69.exe	cmd.exe
PID 4196 wrote to memory of 988	4196	e57aa69.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
"C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\e57a613.tmp
>C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
"C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3892

C:\Program Files (x86)\JJANGLotto\LottoSearch.exe
"C:\Program Files (x86)\JJANGLotto\LottoSearch.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Users\Admin\AppData\Local\Temp\e57aa69.exe
"C:\Users\Admin\AppData\Local\Temp\\e57aa69.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
4⤵
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\JJANGLotto\LottoSearch.exe
Filesize
3.2MB

MD5
cf9f1e7e5df3cc8fdbe2add41c26736c

SHA1
f8c0336dc5ab24804f4de20bcde13392d906d5c2

SHA256
debd55c457db511df5df5eff35f90a3863e885ba738296c943c4cc73e9b32fd3

SHA512
ec471dcaf3bda711a5ea4f00491f428801caf3669826813d4451221d7a3bec244463b483dfac2b6377160f760eebb7cf3e6cd2f4786ca292f1ad51f892b2b56f

Download Submit
C:\Program Files (x86)\JJANGLotto\LottoSearch.exe
Filesize
3.2MB

MD5
cf9f1e7e5df3cc8fdbe2add41c26736c

SHA1
f8c0336dc5ab24804f4de20bcde13392d906d5c2

SHA256
debd55c457db511df5df5eff35f90a3863e885ba738296c943c4cc73e9b32fd3

SHA512
ec471dcaf3bda711a5ea4f00491f428801caf3669826813d4451221d7a3bec244463b483dfac2b6377160f760eebb7cf3e6cd2f4786ca292f1ad51f892b2b56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Filesize
7.0MB

MD5
bcf2116dae5024d8690493993b70a99f

SHA1
0b7cdafc7e3bea0f4732ee931fe447d528c9a2d5

SHA256
1eb896a6678c6c56817514c71b31d709fb96cb9a391ac1aa5fcfd0ae93ec0b0f

SHA512
8bcf914eec641c27348058dff71030238e04207bf9063311df36c59329a2cb89ad9360dfab9aed36e2a861ad0d0ce6e7bb52ef4f52531d29a2340c29d3dc35d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010.exe
Filesize
7.0MB

MD5
bcf2116dae5024d8690493993b70a99f

SHA1
0b7cdafc7e3bea0f4732ee931fe447d528c9a2d5

SHA256
1eb896a6678c6c56817514c71b31d709fb96cb9a391ac1aa5fcfd0ae93ec0b0f

SHA512
8bcf914eec641c27348058dff71030238e04207bf9063311df36c59329a2cb89ad9360dfab9aed36e2a861ad0d0ce6e7bb52ef4f52531d29a2340c29d3dc35d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
179B

MD5
a95f5209da3a60bc1601606adab8915b

SHA1
b224f6c1215d9611c8d3e69bac2539bcfe0aeb17

SHA256
e3265a9334828025dcf9a00ad773c4955d15ff29bf09e81b8352a6743233630c

SHA512
f26375f2b8947480ae377e1a28d3487105812af496736e5b8b52345e5af1423a1b635792f64c97f981e7b7d287cda3341fc72c15f94bd0f69913c27017f1305e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57a613.tmp
Filesize
7.3MB

MD5
143c15a2ba9c22ae8921c9f1fb8ce6e9

SHA1
4fe8ef861ed7db94a31055925c360c4df867b67b

SHA256
9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010

SHA512
9db1c7bbf30d187e7d392136e4f5042dedcace03a6cf9c8831d35c4bcf5eb390bb6620393d1d6f7440b589c8d8e9b3308ec80c749f11c46736ed6869a0efda7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57a613.tmp
Filesize
7.3MB

MD5
143c15a2ba9c22ae8921c9f1fb8ce6e9

SHA1
4fe8ef861ed7db94a31055925c360c4df867b67b

SHA256
9ac3f7e41a12dd37a397dc3579d049d57cb107c4d9620790d1dd9423db887010

SHA512
9db1c7bbf30d187e7d392136e4f5042dedcace03a6cf9c8831d35c4bcf5eb390bb6620393d1d6f7440b589c8d8e9b3308ec80c749f11c46736ed6869a0efda7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57aa69.exe
Filesize
350KB

MD5
f9f57cc505e389cb3fc332178c366aec

SHA1
a38ce6dcfc62938ba4af6e3e15f73e88e16e351a

SHA256
66e76cf64179c6eb51815ddc68ec13bd66502fe150dbbe08e9d44564d647195e

SHA512
67e50e9a8c78d80d18154e2e41151c868e8c4f5c2ab2143287ec3847c7b8677a7d5e7ed50e2052e339bc40ef405c97ac646559769e2a4bd956df8bf86912172d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e57aa69.exe
Filesize
350KB

MD5
f9f57cc505e389cb3fc332178c366aec

SHA1
a38ce6dcfc62938ba4af6e3e15f73e88e16e351a

SHA256
66e76cf64179c6eb51815ddc68ec13bd66502fe150dbbe08e9d44564d647195e

SHA512
67e50e9a8c78d80d18154e2e41151c868e8c4f5c2ab2143287ec3847c7b8677a7d5e7ed50e2052e339bc40ef405c97ac646559769e2a4bd956df8bf86912172d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB91F.tmp\KillProcDLL.dll
Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB91F.tmp\KillProcDLL.dll
Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB91F.tmp\KillProcDLL.dll
Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuB91F.tmp\KillProcDLL.dll
Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Windows\SysWOW64\FPSPR70.ocx
Filesize
1.3MB

MD5
26c857ff23c3ce707b0ee408add08c96

SHA1
4fc3eaf37ae77802576c980fb5bd24b26db2edeb

SHA256
d9d1a8343a984668a7f858a72e560d7ebcc3eba868eac4e4ad80e9ac6e4e75b3

SHA512
a51f6cf0a911e6a0df5189c0c6f52a5d4fa2c4b52ea3dafed15c2013c969358258ef386d860cb8352f29dfd874ed5c8618daaacf7397c01a27b31e87e18d872a

Download Submit
memory/308-133-0x0000000000000000-mapping.dmp

Download
memory/308-142-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/916-160-0x0000000000000000-mapping.dmp

Download
memory/988-161-0x0000000000000000-mapping.dmp

Download
memory/1528-158-0x0000000000000000-mapping.dmp

Download
memory/2440-153-0x0000000000000000-mapping.dmp

Download
memory/3084-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3084-132-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3572-159-0x0000000000000000-mapping.dmp

Download
memory/3892-147-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3892-137-0x0000000000000000-mapping.dmp

Download
memory/3892-148-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4196-151-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4196-143-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4196-162-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4196-139-0x0000000000000000-mapping.dmp

Download