f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d

General

Target

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Size

834KB
MD5

e900078e22e49c49fa3feff2902cebfb
SHA1

47b9dc323ab7c917df14a1877b4a7b4ac260d9b0
SHA256

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d
SHA512

8dca4c52c3b60f41c660467fbe5189fc1de1c4e2dd6c72322a6b4ccda199261d5dcb3c2279944116e53ca33b5a9bdcdd49807cff660cabc8c831f199c36830dc
SSDEEP

24576:w3LZE7QjJrNQwhnBS9sMrbpf3IS5zUXpCyE8:wby7QFrfqCM5P87

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\1ca6cf05.sys f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

764 takeown.exe
1200 icacls.exe
1624 takeown.exe
2000 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\1ca6cf05.sys	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

pid	process
764	takeown.exe
1200	icacls.exe
1624	takeown.exe
2000	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\1ca6cf05\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1ca6cf05.sys"	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

984 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1624 takeown.exe
2000 icacls.exe
764 takeown.exe
1200 icacls.exe

pid	process
984	cmd.exe

pid	process
1624	takeown.exe
2000	icacls.exe
764	takeown.exe
1200	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Drops file in System32 directory 4 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
File created	C:\Windows\SysWOW64\midimap.dll	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Modifies registry class 4 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe"	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "syDa.dll"	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

pid	process
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

pid process

464
1352 f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

pid	process
464
1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
Token: SeTakeOwnershipPrivilege	764	takeown.exe
Token: SeTakeOwnershipPrivilege	1624	takeown.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.execmd.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 108	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 108	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 108	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 108	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 108 wrote to memory of 764	108	cmd.exe	takeown.exe
PID 108 wrote to memory of 764	108	cmd.exe	takeown.exe
PID 108 wrote to memory of 764	108	cmd.exe	takeown.exe
PID 108 wrote to memory of 764	108	cmd.exe	takeown.exe
PID 108 wrote to memory of 1200	108	cmd.exe	icacls.exe
PID 108 wrote to memory of 1200	108	cmd.exe	icacls.exe
PID 108 wrote to memory of 1200	108	cmd.exe	icacls.exe
PID 108 wrote to memory of 1200	108	cmd.exe	icacls.exe
PID 1352 wrote to memory of 824	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 824	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 824	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 824	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 824 wrote to memory of 1624	824	cmd.exe	takeown.exe
PID 824 wrote to memory of 1624	824	cmd.exe	takeown.exe
PID 824 wrote to memory of 1624	824	cmd.exe	takeown.exe
PID 824 wrote to memory of 1624	824	cmd.exe	takeown.exe
PID 824 wrote to memory of 2000	824	cmd.exe	icacls.exe
PID 824 wrote to memory of 2000	824	cmd.exe	icacls.exe
PID 824 wrote to memory of 2000	824	cmd.exe	icacls.exe
PID 824 wrote to memory of 2000	824	cmd.exe	icacls.exe
PID 1352 wrote to memory of 984	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 984	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 984	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe
PID 1352 wrote to memory of 984	1352	f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe
"C:\Users\Admin\AppData\Local\Temp\f970c4c1736ba1245d59eaee85cf46f1b17850ed325899bc37c7e289e53b440d.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2000

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
- Deletes itself
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
181B

MD5
c17945cb36fdd1682863c91cc6d6aa04

SHA1
d0ca8de2500ca63f2580f168f5d78879931da6e8

SHA256
bd7269cedf6d448d4a7042c07f599e42f3ddc7cf4f0b63793694cfa8cc2df23a

SHA512
59e10b0bbdc55da704cfb0fe9d7685184a2f6e8e0dc0291f98eaa55a9b3305dd6629776574fa2ce70c0a1026d717b7e18a2f04063801b42110ddcc8adbb4a4bf

Download Submit
memory/108-59-0x0000000000000000-mapping.dmp

Download
memory/764-60-0x0000000000000000-mapping.dmp

Download
memory/824-62-0x0000000000000000-mapping.dmp

Download
memory/984-65-0x0000000000000000-mapping.dmp

Download
memory/1200-61-0x0000000000000000-mapping.dmp

Download
memory/1352-57-0x0000000001000000-0x0000000001C36000-memory.dmp

Filesize
12.2MB

Download
memory/1352-58-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1352-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1352-56-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/1352-55-0x0000000001000000-0x0000000001C36000-memory.dmp

Filesize
12.2MB

Download
memory/1352-67-0x0000000001000000-0x0000000001C36000-memory.dmp

Filesize
12.2MB

Download
memory/1624-63-0x0000000000000000-mapping.dmp

Download
memory/2000-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads