2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296

General

Target

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Size

350KB
MD5

13797d259eae7789cb3c0284f0260b10
SHA1

bfca5302ac52dbec668392e3572f06ca66b5e9ab
SHA256

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296
SHA512

0bc3d206fb02eb7da603457ceff2f5855aa2d88bfddb93ccd4320095b0b07644cb75dd561a82554722266f0b4a3b9c4971eaa459957ba0302237ebef5d0e5a54
SSDEEP

6144:9yXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:93BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\680ceef1.sys	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\drivers\14a7db77.sys	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4668 takeown.exe
1332 icacls.exe

pid	process
4668	takeown.exe
1332	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\680ceef1\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\680ceef1.sys"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\14a7db77\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\14a7db77.sys"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3796-132-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/3796-133-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral2/memory/3796-138-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4668 takeown.exe
1332 icacls.exe

pid	process
4668	takeown.exe
1332	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Drops file in System32 directory 5 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\goodsb.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Modifies registry class 4 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "sFgH88F6.dll"	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

pid	process
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

pid	process
656
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
656
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
Token: SeTakeOwnershipPrivilege	4668	takeown.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.execmd.exe

description	pid	process	target process
PID 3796 wrote to memory of 2064	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	cmd.exe
PID 3796 wrote to memory of 2064	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	cmd.exe
PID 3796 wrote to memory of 2064	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	cmd.exe
PID 2064 wrote to memory of 4668	2064	cmd.exe	takeown.exe
PID 2064 wrote to memory of 4668	2064	cmd.exe	takeown.exe
PID 2064 wrote to memory of 4668	2064	cmd.exe	takeown.exe
PID 2064 wrote to memory of 1332	2064	cmd.exe	icacls.exe
PID 2064 wrote to memory of 1332	2064	cmd.exe	icacls.exe
PID 2064 wrote to memory of 1332	2064	cmd.exe	icacls.exe
PID 3796 wrote to memory of 5076	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	cmd.exe
PID 3796 wrote to memory of 5076	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	cmd.exe
PID 3796 wrote to memory of 5076	3796	2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe
"C:\Users\Admin\AppData\Local\Temp\2ae83fb95c7008c74d2501abef466d1d43d87df9c86a1f7f9a332d8ce4747296.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
4f572731e15ef20040a90a372222819e

SHA1
e2277d1cdefff780239b3a7a64817af898bb152c

SHA256
79bcbcb9dfd53cab6d5dc1e7b5cd8d01d1789c691b64c64db529c92b4922f084

SHA512
35d94399701c10c3fa4d5112caa3ad1c2cb86ae3361686b7823774aed3b27b84357054df8b1f1dd70a0adf619deb1ce600249ee4678433dbabdaddefc7b0cadc

Download Submit
memory/1332-136-0x0000000000000000-mapping.dmp

Download
memory/2064-134-0x0000000000000000-mapping.dmp

Download
memory/3796-132-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/3796-133-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/3796-138-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/4668-135-0x0000000000000000-mapping.dmp

Download
memory/5076-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads