a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32

General

Target

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Size

350KB
MD5

29308f083114d892b709d5f36ae18710
SHA1

c7e974577e1254c537e0f53a725518a1f4d5f7f7
SHA256

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32
SHA512

5254e53849eaec33ed260dc2d1a45f012a5e4e7bd683d4445b7502e8cb21210ef30ddf26a470a0da31f5e572cbd2636ec25869aac1603011fc7f3626b5a2545b
SSDEEP

6144:qyXu7IEBSsQ9ElMwm60lmqs7MTRGA3h3GVqdppJXEGhBukJF/KAwxFUOWdEmh:q3BdQLL4BE93NGVYZX9BukJlwxSJdEm

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\2bde287d.sys	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
File created	C:\Windows\SysWOW64\drivers\57751dfb.sys	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1220 takeown.exe
308 icacls.exe

pid	process
1220	takeown.exe
308	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\2bde287d\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\2bde287d.sys"	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\57751dfb\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\57751dfb.sys"	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1488-55-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral1/memory/1488-56-0x0000000001000000-0x000000000112D000-memory.dmp	upx
behavioral1/memory/1488-61-0x0000000001000000-0x000000000112D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1736 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1220 takeown.exe
308 icacls.exe

pid	process
1736	cmd.exe

pid	process
1220	takeown.exe
308	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

Drops file in System32 directory 5 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\wshtcpip.dll	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
File opened for modification	C:\Windows\SysWOW64\goodsb.dll	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
File created	C:\Windows\SysWOW64\goodsb.dll	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
File created	C:\Windows\SysWOW64\ws2tcpip.dll	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

Modifies registry class 4 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID\name = "a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe"	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\SYS_DLL\name = "tuuYA.dll"	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\HOOK_ID	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

pid	process
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

Suspicious behavior: LoadsDriver 5 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

pid	process
460
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
460
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1716	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1488 wrote to memory of 1716	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1488 wrote to memory of 1716	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1488 wrote to memory of 1716	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1716 wrote to memory of 1220	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 1220	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 1220	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 1220	1716	cmd.exe	takeown.exe
PID 1716 wrote to memory of 308	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 308	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 308	1716	cmd.exe	icacls.exe
PID 1716 wrote to memory of 308	1716	cmd.exe	icacls.exe
PID 1488 wrote to memory of 1736	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe
PID 1488 wrote to memory of 1736	1488	a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe
"C:\Users\Admin\AppData\Local\Temp\a82fd3f4a404d7f26ba7eef69cb8d56f529bc46491f495a83715ed62bd8c6e32.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:308

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
2⤵
- Deletes itself
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
Filesize
181B

MD5
367986a80ac53057c7ad4686d5f5b2be

SHA1
edccc25f9cc9ec722b9c664693b2d06610b3a63d

SHA256
f5f7531268faad3fc85aff523f04a8605041a21227030c660f3203109652b4d5

SHA512
a77391591e8cfcfb0f09db51daa280d2e06a980678b512b25ac3baf9bbc5bfb23ae8e32bd21098d9d19157cf218092f97056510ba22b059e0555df404cae124a

Download Submit
memory/308-59-0x0000000000000000-mapping.dmp

Download
memory/1220-58-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/1488-56-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/1488-61-0x0000000001000000-0x000000000112D000-memory.dmp

Filesize
1.2MB

Download
memory/1716-57-0x0000000000000000-mapping.dmp

Download
memory/1736-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads