2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076

General

Target

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Size

350KB
MD5

30898d305c059d8c1e74b4b3bfc46db0
SHA1

b68399ee1dc5777839879400674ac94f694aca96
SHA256

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076
SHA512

8e429d6701e835257be056ae1f94ba6506d0aea1f7dcb55f6d7935dd64d37a12dca682903791a7d5612af723c15763216851306ebd76ca64d40a44ab931b3c55
SSDEEP

6144:GyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:G3BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\63581fe9.sys	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
File created	C:\Windows\SysWOW64\drivers\1ff32a6f.sys	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

336 takeown.exe
1920 icacls.exe

pid	process
336	takeown.exe
1920	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\63581fe9\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\63581fe9.sys"	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\1ff32a6f\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\1ff32a6f.sys"	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4712-132-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/4712-133-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/4712-138-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

336 takeown.exe
1920 icacls.exe

pid	process
336	takeown.exe
1920	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

Drops file in System32 directory 5 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
File created	C:\Windows\SysWOW64\goodsb.dll	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

Modifies registry class 4 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe"	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "i78Fjs.dll"	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

pid	process
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

pid	process
644
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
644
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
Token: SeTakeOwnershipPrivilege	336	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.execmd.exe

description	pid	process	target process
PID 4712 wrote to memory of 4576	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe	cmd.exe
PID 4712 wrote to memory of 4576	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe	cmd.exe
PID 4712 wrote to memory of 4576	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe	cmd.exe
PID 4576 wrote to memory of 336	4576	cmd.exe	takeown.exe
PID 4576 wrote to memory of 336	4576	cmd.exe	takeown.exe
PID 4576 wrote to memory of 336	4576	cmd.exe	takeown.exe
PID 4576 wrote to memory of 1920	4576	cmd.exe	icacls.exe
PID 4576 wrote to memory of 1920	4576	cmd.exe	icacls.exe
PID 4576 wrote to memory of 1920	4576	cmd.exe	icacls.exe
PID 4712 wrote to memory of 2268	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe	cmd.exe
PID 4712 wrote to memory of 2268	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe	cmd.exe
PID 4712 wrote to memory of 2268	4712	2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe
"C:\Users\Admin\AppData\Local\Temp\2d0df633c30841432c5830f57420d1acec851711509a275525ff66bf688b8076.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
2bac0e64b3227e0f4ce787f64ffcc2c5

SHA1
9831b476eba29b2735e80e83b4de67547304c511

SHA256
5797595e407af438d22fd34f981c8862ed24fcef8f281e594ee0e6017d46341e

SHA512
489304b399f8bda7272b1790639bf98eaa99eedc5ff54043adc905609fead5d30e1d64697da1edd74547bfb17679748932112fae05eb3a342f6ff65013715c29

Download Submit
memory/336-135-0x0000000000000000-mapping.dmp

Download
memory/1920-136-0x0000000000000000-mapping.dmp

Download
memory/2268-137-0x0000000000000000-mapping.dmp

Download
memory/4576-134-0x0000000000000000-mapping.dmp

Download
memory/4712-132-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4712-133-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4712-138-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads