aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f

General

Target

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Size

350KB
MD5

4768d8eb4aefce2d20702b267b90a2e0
SHA1

5c38fd6af5c6daf07c97691744d6651094bbccbd
SHA256

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f
SHA512

14175b4a7fd7fba1da669e924e9499b82c2c84c98f01f4d8095a73ce584d47f292aad3e64e6ccd2d230e9fb3b9b68604f46eda700c17fad7923c3c7276d26fcc
SSDEEP

6144:YyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:Y3BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\0362103f.sys	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
File created	C:\Windows\SysWOW64\drivers\7fc925b9.sys	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1484 takeown.exe
1992 icacls.exe

pid	process
1484	takeown.exe
1992	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\0362103f\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0362103f.sys"	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\7fc925b9\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7fc925b9.sys"	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5008-132-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/5008-133-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/5008-138-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1484 takeown.exe
1992 icacls.exe

pid	process
1484	takeown.exe
1992	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

Drops file in System32 directory 5 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
File created	C:\Windows\SysWOW64\goodsb.dll	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

Modifies registry class 4 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe"	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "qsadwaq.dll"	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

pid	process
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

pid	process
656
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
656
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
Token: SeTakeOwnershipPrivilege	1484	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.execmd.exe

description	pid	process	target process
PID 5008 wrote to memory of 764	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe	cmd.exe
PID 5008 wrote to memory of 764	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe	cmd.exe
PID 5008 wrote to memory of 764	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe	cmd.exe
PID 764 wrote to memory of 1484	764	cmd.exe	takeown.exe
PID 764 wrote to memory of 1484	764	cmd.exe	takeown.exe
PID 764 wrote to memory of 1484	764	cmd.exe	takeown.exe
PID 764 wrote to memory of 1992	764	cmd.exe	icacls.exe
PID 764 wrote to memory of 1992	764	cmd.exe	icacls.exe
PID 764 wrote to memory of 1992	764	cmd.exe	icacls.exe
PID 5008 wrote to memory of 2696	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe	cmd.exe
PID 5008 wrote to memory of 2696	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe	cmd.exe
PID 5008 wrote to memory of 2696	5008	aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe
"C:\Users\Admin\AppData\Local\Temp\aa38656b625da5f0b4a0244cd1a778752d363eb05a251cbcb7c116631483805f.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:2696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
8047b8c153bd5cbf722d165423c140fb

SHA1
b730b1bf09af0ea6916f6733500d44429e627efe

SHA256
253a85ca707288d2db23cc377a1ae43f299c288a3b51e04e3df23e519251a5e9

SHA512
1e2babdcc9ebd1231801a084ab262b19bfb699896d1f8fc5e819dc1452e7e88bcc2db7a6f1d1f57bc212a0d79acca6171dd0020fd1bf855d5037524ed8428b9b

Download Submit
memory/764-134-0x0000000000000000-mapping.dmp

Download
memory/1484-135-0x0000000000000000-mapping.dmp

Download
memory/1992-136-0x0000000000000000-mapping.dmp

Download
memory/2696-137-0x0000000000000000-mapping.dmp

Download
memory/5008-132-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/5008-133-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/5008-138-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads