8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f

General

Target

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe
Size

149KB
MD5

e513d580da8be7c9a76c1d1d5fa73c91
SHA1

e04d83bea29cb7d5593a4df0567e5759a51993b1
SHA256

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f
SHA512

ff475ffd46353fb335d4f4fd525f410288c9b9ce13c289f7030ce2c6fc895afdc38dd64ee28cc09fbd8847953f334546c062fe59737826618df23cb1708f5ea1
SSDEEP

3072:6EL6JxaaTvT6+L+baG93l+/31Qcm3b2zDRumSUNHIatXsGLSjvNdjw:j2JYWT6eeaGW3UbyXSsduL70

Score

7^/10

adware persistence stealer

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

960 cmd.exe

pid	process
960	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\notviz = "C:\\Windows\\system32\\winhelp.exe"	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

Drops file in System32 directory 2 IoCs

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winhelp.exe	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe
File opened for modification	C:\Windows\SysWOW64\winhelp.exe	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	pid	process	target process
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 780	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 1652 wrote to memory of 960	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 960	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 960	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 960	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 948	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 948	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 948	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 948	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1552	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1552	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1552	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 1552	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 856	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 856	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 856	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 1652 wrote to memory of 856	1652	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe
"C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe"
1⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\svchost.exe
svchost
2⤵
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
- Deletes itself
PID:960

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:856

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-55-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/780-64-0x0000000000000000-mapping.dmp

Download
memory/856-69-0x0000000000000000-mapping.dmp

Download
memory/948-66-0x0000000000000000-mapping.dmp

Download
memory/960-65-0x0000000000000000-mapping.dmp

Download
memory/1552-68-0x0000000000000000-mapping.dmp

Download
memory/1648-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads