4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b

General

Target

4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
Size

1.0MB
MD5

3bc343997607a36dd36f9ec2937422dc
SHA1

7336da33e47005bc66b94b67c7cdbc3f10a4f037
SHA256

4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b
SHA512

98df7358181114c02e92f31fd989a7ac4c5885bfbfbd2a4a13a4c4be2c9d25ea31482fad9aed1db3cc48953fe01589b4640239ba370d16399631c2ad285a04e6
SSDEEP

24576:UUOQIjxJxqW6ZvNrryeq7Xr8N9bb3DFsH:5WjxJEWstyewkb7ZsH

Score

8^/10

adware discovery exploit persistence stealer upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e56b52c.exe

description ioc process

File created C:\Windows\SysWOW64\drivers\07f989e4.sys e56b52c.exe
Executes dropped EXE 3 IoCs

Processes:

e56b3f3.tmp4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exee56b52c.exe

pid process

1116 e56b3f3.tmp
4932 4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4816 e56b52c.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1960 icacls.exe
1104 takeown.exe
4980 icacls.exe
2244 takeown.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\07f989e4.sys	e56b52c.exe

pid	process
1116	e56b3f3.tmp
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4816	e56b52c.exe

pid	process
1960	icacls.exe
1104	takeown.exe
4980	icacls.exe
2244	takeown.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e56b52c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\07f989e4\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\drivers\\07f989e4.sys"	e56b52c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe	upx
behavioral2/memory/4932-142-0x0000000000400000-0x000000000048C000-memory.dmp	upx
behavioral2/memory/4932-145-0x0000000000400000-0x000000000048C000-memory.dmp	upx

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2244 takeown.exe
1960 icacls.exe
1104 takeown.exe
4980 icacls.exe

pid	process
2244	takeown.exe
1960	icacls.exe
1104	takeown.exe
4980	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e56b52c.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	e56b52c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e56b52c.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	e56b52c.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e56b52c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e56b52c.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e56b52c.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e56b52c.exe

Drops file in System32 directory 4 IoCs

Processes:

e56b52c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	e56b52c.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	e56b52c.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	e56b52c.exe
File created	C:\Windows\SysWOW64\midimap.dll	e56b52c.exe

Modifies registry class 4 IoCs

Processes:

e56b52c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	e56b52c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e56b52c.exe"	e56b52c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	e56b52c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "qsFJoui2u8.dll"	e56b52c.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e56b52c.exe

pid	process
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe
4816	e56b52c.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

e56b52c.exe

pid process

660
4816 e56b52c.exe

pid	process
660
4816	e56b52c.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e56b52c.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4816	e56b52c.exe
Token: SeTakeOwnershipPrivilege	2244	takeown.exe
Token: SeTakeOwnershipPrivilege	1104	takeown.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe

pid	process
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe

pid	process
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
4932	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exee56b3f3.tmpe56b52c.execmd.execmd.exe

description	pid	process	target process
PID 5064 wrote to memory of 1116	5064	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe	e56b3f3.tmp
PID 5064 wrote to memory of 1116	5064	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe	e56b3f3.tmp
PID 5064 wrote to memory of 1116	5064	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe	e56b3f3.tmp
PID 1116 wrote to memory of 4932	1116	e56b3f3.tmp	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
PID 1116 wrote to memory of 4932	1116	e56b3f3.tmp	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
PID 1116 wrote to memory of 4932	1116	e56b3f3.tmp	4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
PID 1116 wrote to memory of 4816	1116	e56b3f3.tmp	e56b52c.exe
PID 1116 wrote to memory of 4816	1116	e56b3f3.tmp	e56b52c.exe
PID 1116 wrote to memory of 4816	1116	e56b3f3.tmp	e56b52c.exe
PID 4816 wrote to memory of 4488	4816	e56b52c.exe	cmd.exe
PID 4816 wrote to memory of 4488	4816	e56b52c.exe	cmd.exe
PID 4816 wrote to memory of 4488	4816	e56b52c.exe	cmd.exe
PID 4488 wrote to memory of 2244	4488	cmd.exe	takeown.exe
PID 4488 wrote to memory of 2244	4488	cmd.exe	takeown.exe
PID 4488 wrote to memory of 2244	4488	cmd.exe	takeown.exe
PID 4488 wrote to memory of 1960	4488	cmd.exe	icacls.exe
PID 4488 wrote to memory of 1960	4488	cmd.exe	icacls.exe
PID 4488 wrote to memory of 1960	4488	cmd.exe	icacls.exe
PID 4816 wrote to memory of 4112	4816	e56b52c.exe	cmd.exe
PID 4816 wrote to memory of 4112	4816	e56b52c.exe	cmd.exe
PID 4816 wrote to memory of 4112	4816	e56b52c.exe	cmd.exe
PID 4112 wrote to memory of 1104	4112	cmd.exe	takeown.exe
PID 4112 wrote to memory of 1104	4112	cmd.exe	takeown.exe
PID 4112 wrote to memory of 1104	4112	cmd.exe	takeown.exe
PID 4112 wrote to memory of 4980	4112	cmd.exe	icacls.exe
PID 4112 wrote to memory of 4980	4112	cmd.exe	icacls.exe
PID 4112 wrote to memory of 4980	4112	cmd.exe	icacls.exe
PID 4816 wrote to memory of 4416	4816	e56b52c.exe	cmd.exe
PID 4816 wrote to memory of 4416	4816	e56b52c.exe	cmd.exe
PID 4816 wrote to memory of 4416	4816	e56b52c.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
"C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\e56b3f3.tmp
>C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe
"C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932

C:\Users\Admin\AppData\Local\Temp\e56b52c.exe
"C:\Users\Admin\AppData\Local\Temp\\e56b52c.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
4⤵
PID:4416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

1

T1176

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b.exe

Filesize
196KB

MD5
94ae8aae4c9f1fbf472a5a4df0abe9f3

SHA1
1fbc740ace3e4c2343097738c6eed8ab4a66eb0f

SHA256
b3d53992dfb5f031d7a7f7b93e0528090fe9788dc2ed5d2405b1afe50ea146c7

SHA512
3996ea4dd6dffe4b3e92f3c4ec22f581b0985292024efe285c8ff5070ef9e90653c1cb91365a5846f8e4e7eafe7e681fd977400c49c9ebc72f43b7fee4295b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahnmove.bat

Filesize
179B

MD5
8b3374df60ff30023f8126e3a609ef3f

SHA1
42923d5d52d2d4c0db13b490e6d169d33775815e

SHA256
a45e9abc451fe72d129777deb836256f9fdee163ff9d029cec0d039d7d5605f4

SHA512
c2f806ec9efd99f56e77223619538e85571c2e0934994173983c3c3cda1fd9a7f98595e8e13e5aff1534a806d35257a7677166411f85165c9b268035649de1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b3f3.tmp

Filesize
1.0MB

MD5
3bc343997607a36dd36f9ec2937422dc

SHA1
7336da33e47005bc66b94b67c7cdbc3f10a4f037

SHA256
4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b

SHA512
98df7358181114c02e92f31fd989a7ac4c5885bfbfbd2a4a13a4c4be2c9d25ea31482fad9aed1db3cc48953fe01589b4640239ba370d16399631c2ad285a04e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b3f3.tmp

Filesize
1.0MB

MD5
3bc343997607a36dd36f9ec2937422dc

SHA1
7336da33e47005bc66b94b67c7cdbc3f10a4f037

SHA256
4bcee96b572888f92d70cdc796b65fff18947ec6b59e5eeb6636f66c3442a96b

SHA512
98df7358181114c02e92f31fd989a7ac4c5885bfbfbd2a4a13a4c4be2c9d25ea31482fad9aed1db3cc48953fe01589b4640239ba370d16399631c2ad285a04e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b52c.exe

Filesize
846KB

MD5
ba68d4c5343746d9bcf3cbadad3ba564

SHA1
3c23f9c71854c070203f45b9775b6b74d9a8658f

SHA256
63077e0732540d09c8c64c68239a213b910b2182de1d9893c51f8ef0bde5c32c

SHA512
7ee9b012c2ed8abe9be931ea9b1d927f6b9f948fe98cc3856a4a34be1fd1699bd4c47ad09694e5cdbb5c57da8f6160fcc6c6196a79c920eabc356ade4b6e90e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\e56b52c.exe

Filesize
846KB

MD5
ba68d4c5343746d9bcf3cbadad3ba564

SHA1
3c23f9c71854c070203f45b9775b6b74d9a8658f

SHA256
63077e0732540d09c8c64c68239a213b910b2182de1d9893c51f8ef0bde5c32c

SHA512
7ee9b012c2ed8abe9be931ea9b1d927f6b9f948fe98cc3856a4a34be1fd1699bd4c47ad09694e5cdbb5c57da8f6160fcc6c6196a79c920eabc356ade4b6e90e9

Download Submit
memory/1104-152-0x0000000000000000-mapping.dmp

Download
memory/1116-132-0x0000000000000000-mapping.dmp

Download
memory/1116-140-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1960-150-0x0000000000000000-mapping.dmp

Download
memory/2244-149-0x0000000000000000-mapping.dmp

Download
memory/4112-151-0x0000000000000000-mapping.dmp

Download
memory/4416-154-0x0000000000000000-mapping.dmp

Download
memory/4488-148-0x0000000000000000-mapping.dmp

Download
memory/4816-138-0x0000000000000000-mapping.dmp

Download
memory/4816-147-0x0000000001000000-0x0000000001C57000-memory.dmp

Filesize
12.3MB

Download
memory/4816-146-0x0000000000BF0000-0x0000000000C10000-memory.dmp

Filesize
128KB

Download
memory/4816-144-0x0000000001000000-0x0000000001C57000-memory.dmp

Filesize
12.3MB

Download
memory/4816-143-0x0000000000BF0000-0x0000000000C10000-memory.dmp

Filesize
128KB

Download
memory/4816-156-0x0000000001000000-0x0000000001C57000-memory.dmp

Filesize
12.3MB

Download
memory/4932-145-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4932-142-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4932-136-0x0000000000000000-mapping.dmp

Download
memory/4980-153-0x0000000000000000-mapping.dmp

Download
memory/5064-135-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads