2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296

Analysis

max time kernel
76s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Size

350KB
MD5

13797d259eae7789cb3c0284f0260b10
SHA1

bfca5302ac52dbec668392e3572f06ca66b5e9ab
SHA256

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296
SHA512

0bc3d206fb02eb7da603457ceff2f5855aa2d88bfddb93ccd4320095b0b07644cb75dd561a82554722266f0b4a3b9c4971eaa459957ba0302237ebef5d0e5a54
SSDEEP

6144:9yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:93BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\0a3c40da.sys	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\drivers\7697755c.sys	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
584	takeown.exe
1344	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\7697755c\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\7697755c.sys"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\0a3c40da\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\0a3c40da.sys"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1836-55-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral1/memory/1836-60-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1064	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
584	takeown.exe
1344	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\goodsb.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "HHeIufK.dll"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Suspicious behavior: LoadsDriver 5 IoCs

pid	Process
464	Process not Found
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
464	Process not Found
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 896	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	29
PID 1836 wrote to memory of 896	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	29
PID 1836 wrote to memory of 896	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	29
PID 1836 wrote to memory of 896	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	29
PID 896 wrote to memory of 584	896	cmd.exe	31
PID 896 wrote to memory of 584	896	cmd.exe	31
PID 896 wrote to memory of 584	896	cmd.exe	31
PID 896 wrote to memory of 584	896	cmd.exe	31
PID 896 wrote to memory of 1344	896	cmd.exe	32
PID 896 wrote to memory of 1344	896	cmd.exe	32
PID 896 wrote to memory of 1344	896	cmd.exe	32
PID 896 wrote to memory of 1344	896	cmd.exe	32
PID 1836 wrote to memory of 1064	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	33
PID 1836 wrote to memory of 1064	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	33
PID 1836 wrote to memory of 1064	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	33
PID 1836 wrote to memory of 1064	1836	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	33

C:\Users\Admin\AppData\Local\Temp\2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
"C:\Users\Admin\AppData\Local\Temp\2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\SysWOW64\wshtcpip.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:584
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
  2⤵
  - Deletes itself
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
181B

MD5
4f572731e15ef20040a90a372222819e

SHA1
e2277d1cdefff780239b3a7a64817af898bb152c

SHA256
79bcbcb9dfd53cab6d5dc1e7b5cd8d01d1789c691b64c64db529c92b4922f084

SHA512
35d94399701c10c3fa4d5112caa3ad1c2cb86ae3361686b7823774aed3b27b84357054df8b1f1dd70a0adf619deb1ce600249ee4678433dbabdaddefc7b0cadc

Download Submit
memory/1836-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1836-55-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/1836-60-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download