8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f

General

Target

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe
Size

149KB
MD5

e513d580da8be7c9a76c1d1d5fa73c91
SHA1

e04d83bea29cb7d5593a4df0567e5759a51993b1
SHA256

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f
SHA512

ff475ffd46353fb335d4f4fd525f410288c9b9ce13c289f7030ce2c6fc895afdc38dd64ee28cc09fbd8847953f334546c062fe59737826618df23cb1708f5ea1
SSDEEP

3072:6EL6JxaaTvT6+L+baG93l+/31Qcm3b2zDRumSUNHIatXsGLSjvNdjw:j2JYWT6eeaGW3UbyXSsduL70

Score

6^/10

adware persistence stealer

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\notviz = "C:\\Windows\\system32\\winhelp.exe"	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

Drops file in System32 directory 2 IoCs

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\winhelp.exe	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe
File opened for modification	C:\Windows\SysWOW64\winhelp.exe	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4084 3728 WerFault.exe svchost.exe

pid	pid_target	process	target process
4084	3728	WerFault.exe	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe

description	pid	process	target process
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 3728	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	svchost.exe
PID 3872 wrote to memory of 1892	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1892	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1892	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 2476	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 2476	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 2476	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 900	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 900	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 900	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1884	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1884	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1884	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1268	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1268	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe
PID 3872 wrote to memory of 1268	3872	8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe
"C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe"
1⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\svchost.exe
svchost
2⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 12
3⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c "del "C:\Users\Admin\AppData\Local\Temp\8b8c5d53ae6eb8d708a0e8e74a3a65151cfdabfda0347d9ad988a150c811d00f.exe""
2⤵
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3728 -ip 3728
1⤵
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Browser Extensions

1

T1176

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-138-0x0000000000000000-mapping.dmp

Download
memory/1268-140-0x0000000000000000-mapping.dmp

Download
memory/1884-139-0x0000000000000000-mapping.dmp

Download
memory/1892-136-0x0000000000000000-mapping.dmp

Download
memory/2476-137-0x0000000000000000-mapping.dmp

Download
memory/3728-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-132-0x0000000000000000-mapping.dmp

Download
memory/3728-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3728-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads