c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe

General

Target

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Size

350KB
MD5

5dc0752eed15944b6f04a6d938185290
SHA1

876bed93f6ffc09a528b3a285397d1bd93069766
SHA256

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe
SHA512

a58a9a454d6fa80cc872c088d6e9cbfbd06b9b71c4a90732f2be68cc766571279e59e7fa7ddc1a8cb7099f68e763f3fa188839bcc8e3308b74ad8212f418dcdf
SSDEEP

6144:9yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:93BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\5f390387.sys	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
File created	C:\Windows\SysWOW64\drivers\23923601.sys	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4992 takeown.exe
4268 icacls.exe

pid	process
4992	takeown.exe
4268	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\5f390387\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\5f390387.sys"	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\23923601\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\23923601.sys"	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4936-132-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/4936-133-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/4936-138-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4992 takeown.exe
4268 icacls.exe

pid	process
4992	takeown.exe
4268	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

Drops file in System32 directory 5 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
File created	C:\Windows\SysWOW64\goodsb.dll	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

Modifies registry class 4 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe"	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "fUrJJafd.dll"	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

pid	process
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

pid	process
648
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
648
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
Token: SeTakeOwnershipPrivilege	4992	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.execmd.exe

description	pid	process	target process
PID 4936 wrote to memory of 1292	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe	cmd.exe
PID 4936 wrote to memory of 1292	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe	cmd.exe
PID 4936 wrote to memory of 1292	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe	cmd.exe
PID 1292 wrote to memory of 4992	1292	cmd.exe	takeown.exe
PID 1292 wrote to memory of 4992	1292	cmd.exe	takeown.exe
PID 1292 wrote to memory of 4992	1292	cmd.exe	takeown.exe
PID 1292 wrote to memory of 4268	1292	cmd.exe	icacls.exe
PID 1292 wrote to memory of 4268	1292	cmd.exe	icacls.exe
PID 1292 wrote to memory of 4268	1292	cmd.exe	icacls.exe
PID 4936 wrote to memory of 4644	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe	cmd.exe
PID 4936 wrote to memory of 4644	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe	cmd.exe
PID 4936 wrote to memory of 4644	4936	c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe
"C:\Users\Admin\AppData\Local\Temp\c8dae713cd544c598e60c602290ee65b0eb92c9d02c01e8d2c78f9197cb75fbe.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
b7e131ce6db5d08d69fb167a67d741a7

SHA1
2103b8d38cd3c6e4d5158cb653b4cedbd2223238

SHA256
0eb9c8c2c39ad4d7699c22cdb67e81724bf7ec8edcbfd5260454af187bb1545a

SHA512
963a8d2d935ffc0d6a497c9ed44f5dc158ddc0edcefc4d9e97548c0e103b787bed0fa3b1cfa3165363b7e18254f9e00d1b00ddebb25b76254f3825d76293452b

Download Submit
memory/1292-134-0x0000000000000000-mapping.dmp

Download
memory/4268-136-0x0000000000000000-mapping.dmp

Download
memory/4644-137-0x0000000000000000-mapping.dmp

Download
memory/4936-132-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4936-133-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4936-138-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4992-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads