6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12

General

Target

6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
Size

6.7MB
MD5

cab48ed9de529a22ca0a1c2d79de3e63
SHA1

ffd86c5b07573c79b8975aac35c40b4c27c7292c
SHA256

6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12
SHA512

c42889b98affa8e6a18457177fd65f70beff3d796c6ea403607d19125bb2b0af7d8fbbad9353dddb03316b8c1651337d3ae4ec7120f7a051daa9269cc63b997b
SSDEEP

196608:i7BWIdKv52/Tg289Pzeh0M+9IUrMSY0TOPrBMJQTzT:S/s2wPzemMF0TUrBLTH

Score

8^/10

adware discovery exploit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e56b952.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\6c260766.sys e56b952.exe
Executes dropped EXE 3 IoCs

Processes:

e56b56a.tmp6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exee56b952.exe

pid process

2800 e56b56a.tmp
1132 6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
4296 e56b952.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3604 takeown.exe
3392 icacls.exe
4220 takeown.exe
1056 icacls.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\6c260766.sys	e56b952.exe

pid	process
2800	e56b56a.tmp
1132	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
4296	e56b952.exe

pid	process
3604	takeown.exe
3392	icacls.exe
4220	takeown.exe
1056	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e56b952.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\6c260766\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\6c260766.sys"	e56b952.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3604 takeown.exe
3392 icacls.exe
4220 takeown.exe
1056 icacls.exe

pid	process
3604	takeown.exe
3392	icacls.exe
4220	takeown.exe
1056	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e56b952.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e56b952.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	e56b952.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	e56b952.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e56b952.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e56b952.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e56b952.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e56b952.exe

Drops file in System32 directory 4 IoCs

Processes:

e56b952.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	e56b952.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	e56b952.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	e56b952.exe
File created	C:\Windows\SysWOW64\midimap.dll	e56b952.exe

Modifies registry class 4 IoCs

Processes:

e56b952.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "eHawg.dll"	e56b952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	e56b952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e56b952.exe"	e56b952.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	e56b952.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e56b952.exe

pid	process
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe
4296	e56b952.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

e56b952.exe

pid process

648
4296 e56b952.exe

pid	process
648
4296	e56b952.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e56b952.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4296	e56b952.exe
Token: SeTakeOwnershipPrivilege	3604	takeown.exe
Token: SeTakeOwnershipPrivilege	4220	takeown.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exee56b56a.tmpe56b952.execmd.execmd.exe

description	pid	process	target process
PID 4060 wrote to memory of 2800	4060	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe	e56b56a.tmp
PID 4060 wrote to memory of 2800	4060	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe	e56b56a.tmp
PID 4060 wrote to memory of 2800	4060	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe	e56b56a.tmp
PID 2800 wrote to memory of 1132	2800	e56b56a.tmp	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
PID 2800 wrote to memory of 1132	2800	e56b56a.tmp	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
PID 2800 wrote to memory of 1132	2800	e56b56a.tmp	6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
PID 2800 wrote to memory of 4296	2800	e56b56a.tmp	e56b952.exe
PID 2800 wrote to memory of 4296	2800	e56b56a.tmp	e56b952.exe
PID 2800 wrote to memory of 4296	2800	e56b56a.tmp	e56b952.exe
PID 4296 wrote to memory of 4236	4296	e56b952.exe	cmd.exe
PID 4296 wrote to memory of 4236	4296	e56b952.exe	cmd.exe
PID 4296 wrote to memory of 4236	4296	e56b952.exe	cmd.exe
PID 4236 wrote to memory of 3604	4236	cmd.exe	takeown.exe
PID 4236 wrote to memory of 3604	4236	cmd.exe	takeown.exe
PID 4236 wrote to memory of 3604	4236	cmd.exe	takeown.exe
PID 4236 wrote to memory of 3392	4236	cmd.exe	icacls.exe
PID 4236 wrote to memory of 3392	4236	cmd.exe	icacls.exe
PID 4236 wrote to memory of 3392	4236	cmd.exe	icacls.exe
PID 4296 wrote to memory of 1388	4296	e56b952.exe	cmd.exe
PID 4296 wrote to memory of 1388	4296	e56b952.exe	cmd.exe
PID 4296 wrote to memory of 1388	4296	e56b952.exe	cmd.exe
PID 1388 wrote to memory of 4220	1388	cmd.exe	takeown.exe
PID 1388 wrote to memory of 4220	1388	cmd.exe	takeown.exe
PID 1388 wrote to memory of 4220	1388	cmd.exe	takeown.exe
PID 1388 wrote to memory of 1056	1388	cmd.exe	icacls.exe
PID 1388 wrote to memory of 1056	1388	cmd.exe	icacls.exe
PID 1388 wrote to memory of 1056	1388	cmd.exe	icacls.exe
PID 4296 wrote to memory of 4328	4296	e56b952.exe	cmd.exe
PID 4296 wrote to memory of 4328	4296	e56b952.exe	cmd.exe
PID 4296 wrote to memory of 4328	4296	e56b952.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
"C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Users\Admin\AppData\Local\Temp\e56b56a.tmp
  >C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe
    "C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe"
    3⤵
    - Executes dropped EXE
    PID:1132
- - C:\Users\Admin\AppData\Local\Temp\e56b952.exe
    "C:\Users\Admin\AppData\Local\Temp\\e56b952.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Sets service image path in registry
    - Installs/modifies Browser Helper Object
    - Maps connected drives based on registry
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\wshtcpip.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f C:\Windows\SysWOW64\midimap.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
      4⤵
      PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe

Filesize
6.0MB

MD5
e27d3bb89f3054a6d2cf809ea21c48fd

SHA1
07660bf16addd32806ad5cdb094ef4f49b3fb2cc

SHA256
483b44f6755e7653e7ed7ff84ff2319e6be36a0649fce7229b95acf8a464c36d

SHA512
89fbab17a536742db96ca01d1c8ab10bddbf2b68c425f2a9b48c28a3a8c2f9742d338b24c58466b47d307bf73c651e1bdaad7e5434b98175489c5e45f1480b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12.exe

Filesize
6.0MB

MD5
e27d3bb89f3054a6d2cf809ea21c48fd

SHA1
07660bf16addd32806ad5cdb094ef4f49b3fb2cc

SHA256
483b44f6755e7653e7ed7ff84ff2319e6be36a0649fce7229b95acf8a464c36d

SHA512
89fbab17a536742db96ca01d1c8ab10bddbf2b68c425f2a9b48c28a3a8c2f9742d338b24c58466b47d307bf73c651e1bdaad7e5434b98175489c5e45f1480b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
179B

MD5
27ec560f17829711da34edb19d356b1e

SHA1
855089c31b4276fd51505d5df8367f95f0580454

SHA256
891bee659edc69edc5a8cf68c6aff23a93b610d1adb0d590af49685d19042dc9

SHA512
141407ce330305c4403572f392a519a5b404cb95c5d32db3d09ae40b36a0ca0d990b1be39172d929b269efda37de0d7577a3e0b0e943a7d7a1f2cc3ca1ade392

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b56a.tmp

Filesize
6.7MB

MD5
cab48ed9de529a22ca0a1c2d79de3e63

SHA1
ffd86c5b07573c79b8975aac35c40b4c27c7292c

SHA256
6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12

SHA512
c42889b98affa8e6a18457177fd65f70beff3d796c6ea403607d19125bb2b0af7d8fbbad9353dddb03316b8c1651337d3ae4ec7120f7a051daa9269cc63b997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b56a.tmp

Filesize
6.7MB

MD5
cab48ed9de529a22ca0a1c2d79de3e63

SHA1
ffd86c5b07573c79b8975aac35c40b4c27c7292c

SHA256
6828317766d1331bd782acc4cb6f00d9611763b32680a70cde5087ec1ea2ef12

SHA512
c42889b98affa8e6a18457177fd65f70beff3d796c6ea403607d19125bb2b0af7d8fbbad9353dddb03316b8c1651337d3ae4ec7120f7a051daa9269cc63b997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b952.exe

Filesize
714KB

MD5
343df0ebec1cd6e5731b5758d1741db0

SHA1
29f48ff645f53279c4cf7be585cfc7c5c82373c8

SHA256
f5140b3d67edfbd1a8d5ce8519ddfb32e1efa7362285ed59aabb905b7fada762

SHA512
fae17f537c4d991005cc90b29e01aa1a250436a9dc3e509ec760c594a9c97ef0e372e90332072998d527f9247fc91e4a1027e967200d67bf40df0a5aff4d79f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b952.exe

Filesize
714KB

MD5
343df0ebec1cd6e5731b5758d1741db0

SHA1
29f48ff645f53279c4cf7be585cfc7c5c82373c8

SHA256
f5140b3d67edfbd1a8d5ce8519ddfb32e1efa7362285ed59aabb905b7fada762

SHA512
fae17f537c4d991005cc90b29e01aa1a250436a9dc3e509ec760c594a9c97ef0e372e90332072998d527f9247fc91e4a1027e967200d67bf40df0a5aff4d79f3

Download Submit
memory/1056-153-0x0000000000000000-mapping.dmp

Download
memory/1132-137-0x0000000000000000-mapping.dmp

Download
memory/1388-151-0x0000000000000000-mapping.dmp

Download
memory/2800-133-0x0000000000000000-mapping.dmp

Download
memory/2800-141-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3392-150-0x0000000000000000-mapping.dmp

Download
memory/3604-149-0x0000000000000000-mapping.dmp

Download
memory/4060-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4060-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4220-152-0x0000000000000000-mapping.dmp

Download
memory/4236-148-0x0000000000000000-mapping.dmp

Download
memory/4296-145-0x0000000001000000-0x0000000001BC7000-memory.dmp

Filesize
11.8MB

Download
memory/4296-146-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/4296-147-0x0000000001000000-0x0000000001BC7000-memory.dmp

Filesize
11.8MB

Download
memory/4296-144-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/4296-139-0x0000000000000000-mapping.dmp

Download
memory/4296-156-0x0000000001000000-0x0000000001BC7000-memory.dmp

Filesize
11.8MB

Download
memory/4328-154-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads