23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a

General

Target

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Size

350KB
MD5

6ad13c8ceae3c41e26ef06a6e8ad6b10
SHA1

c560c593fe899a35257ada608ef1973fdeb03d63
SHA256

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a
SHA512

384f3634c341c33470c060e93913c89132cfb2ff41c70a53e5b3cdf7a384458fecd5ae2624b187e0dd2c9635155c9cd963aa8168f76ab4d5545f71f98df86a4e
SSDEEP

6144:TyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:T3BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\2579fe82.sys	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
File created	C:\Windows\SysWOW64\drivers\59d2cb04.sys	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4884 takeown.exe
4164 icacls.exe

pid	process
4884	takeown.exe
4164	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\2579fe82\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\2579fe82.sys"	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\59d2cb04\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\59d2cb04.sys"	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5060-132-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/5060-133-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/5060-138-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

4164 icacls.exe
4884 takeown.exe

pid	process
4164	icacls.exe
4884	takeown.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

Drops file in System32 directory 5 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\goodsb.dll	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

Modifies registry class 4 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe"	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "uu7weABue.dll"	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

pid	process
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

pid	process
660
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
660
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
Token: SeTakeOwnershipPrivilege	4884	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.execmd.exe

description	pid	process	target process
PID 5060 wrote to memory of 4144	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe	cmd.exe
PID 5060 wrote to memory of 4144	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe	cmd.exe
PID 5060 wrote to memory of 4144	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe	cmd.exe
PID 4144 wrote to memory of 4884	4144	cmd.exe	takeown.exe
PID 4144 wrote to memory of 4884	4144	cmd.exe	takeown.exe
PID 4144 wrote to memory of 4884	4144	cmd.exe	takeown.exe
PID 4144 wrote to memory of 4164	4144	cmd.exe	icacls.exe
PID 4144 wrote to memory of 4164	4144	cmd.exe	icacls.exe
PID 4144 wrote to memory of 4164	4144	cmd.exe	icacls.exe
PID 5060 wrote to memory of 1688	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe	cmd.exe
PID 5060 wrote to memory of 1688	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe	cmd.exe
PID 5060 wrote to memory of 1688	5060	23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe
"C:\Users\Admin\AppData\Local\Temp\23037ce9d0d0c993c9dc66adeff4d53b5aa8038f1eae1c1a596ccb87e870e28a.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
d60c6bc7ea955253d79136a5b44e9591

SHA1
a818609f9f0f7881abfb52b0be529c6c6a50ebb9

SHA256
24f820e4f0e9e050de0845a76c5c299953c55391b183ea7e801b500ff7c2a9c1

SHA512
0162866a56033b07075a2126168e9b0f0935c1f2d9552209daa4352f73ac89c92a8e690e79a37a2e430dd53c4bbcdcb169cca89fb03597611854972785bbc3d7

Download Submit
memory/1688-137-0x0000000000000000-mapping.dmp

Download
memory/4144-134-0x0000000000000000-mapping.dmp

Download
memory/4164-136-0x0000000000000000-mapping.dmp

Download
memory/4884-135-0x0000000000000000-mapping.dmp

Download
memory/5060-132-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/5060-133-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/5060-138-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads