Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
28-03-2022 01:20
Static task
static1
Behavioral task
behavioral1
Sample
core.bat
Resource
win7-20220310-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
core.bat
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
paper_x32.dll
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
paper_x32.dll
Resource
win10v2004-20220310-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
paper_x32.dll
-
Size
43KB
-
MD5
d3a9e33c7e606b711b1d658248d96d4a
-
SHA1
430273e227bb4445fbd92363dc97310ca3232b48
-
SHA256
85c49c0c2f9778edc03a6797ffa139b27538fd7060d6b80f2d00e23aa158e625
-
SHA512
e15c697ce13a8140fb41596def262d414f47453b0f01e96b8659caa5f024e8c81b5b2462230b992e081d368078ac33f3f37c0dae17bfd81b0a06c960494e0f3d
Score
1/10
Malware Config
Signatures
-
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001800081D20D692 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000004f069fde1145ca7a6d7f213c040cadc1690d2a7abcc245c5b7c68da00a0d0e1c000000000e8000000002000020000000f4cc4061781061aeb903b4d628e4702320ccc98a7c27c83aab266961474de0be800000009a10de68c2f8800229ee512d9834c666c17c84834fa50d163765fd88bec2a99d89f7879622524c73a6ad2ff95931c24eb88a5d12bdd6e7ff099e8d184148b5463be93059fc7e38d03ca0f43d02187583daaa133d51f90b8459ab3ff9287e2f82b421208b46439eb1f7562c85bd491987be15317d7c3192fd8981ca7241bf42f2400000007c1ff34acf05d120ba9a9f124ed6e1a18b424b9314256b587ccbec7608901563b9a4361cae8a4fdeccd1167e4c04f5f09a8781556a5ae79493719cfcb4e45127 svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000a622d7dec47f2ef97cca6f1eb764a945890f9e04e2bcdfc6a01334e1c4a3d9ac000000000e8000000002000020000000adafb66a3e8c78d5bbad27e91bb09ad82bb4fb37243bd85caa98434da1803c04100d00000ce674e2dd300e47b0f3c519704ea29d771d730d744d39c7e97ea4ffc498118f07ecc43c9b4f2278062b89064fd8541decd3039f06a450da441179b7303f702a0c8a93bc2f4c481b432c4b816e836792c855cae89c0026c41d9e5b3fda1e632d89f2b1a8bdf2854668f72d87c55f5ac97ddbb1852ed864c219f922fa3928bfe0d1f42fb9aacbca62ced46f513c3dcabe40db09bb45d2630dc2327047ad2fb78067ac80bb68fbb35b37a6e19bbf8b96af8a7e636816116e6b6543f234ef148b75f9bbefa697d3030822fc5414554dc26ec5ca0cd0640940efcb6cbe276f721a87996417e29d5f1fc717a733f1f76a68a9b8d5c82c2e23178f919548a4f7bc8e05eb7d2387d9b03a315ac6399949c7b5d5004958e87e23f213bf0fc6b5b17c2d781a05e7c3f316e9df5cab6077a2f8d76e34d937c8adae495f3d7d44eb31c5684f27ef7fa2b02b3d381bea4c5c6c7551e6915ea9f062802dba72af8833965d4d25264953a38a7b86e6f98126dc40c8dbf047a5f4abbfea9db974b079cec5bfc068d30ae93fedfc47ea3c583525c0d9cedeae99e7c6a5e3385c78e584c80f7f8ba222ea45a8ff9a3dd7099ce8d170d0554b440209ddf189233a044b7d9634146f95add2fd7df90c3e72bda6a96efba643934f693c55f5931c8e6f93417160e7c1b147805932a2ac0aeaa5128366fa05f5c811192b9bcd6ead775250841a6f4af9e7b4b201a54773cbfc6e64e581a843ca24432e9777b3f2848346ce2256159dc9e5b11dfda54b4cd088328a14968a66609646495708f00bc695b089ceba17828326207c6e52f642cf037f8b1c8223f30efac4c3a4faf554bcfbda2c786e87c248e1beb4e3b7603444dbc5bdc15eabf1a5a555f515bd0530511a2186615ddaec472150f89343f1e5cae00f1dd27cc743b467db20aa594f9e3ba2b40b56ea9b47af4ce78991c8e97011da40f8cc588ce88950105d990691aeddfdc47a56d41bc117255cde5034cf38675071ef6845bb44c2076aba8fecf71d6367ee1141d284e65f55225607d517a4fcedbeecd4c7f68fa73384744aa15e575ea05a3e98dbb82530f902058d9560f7090d64e94c8bd4fd3d01b3f744108e07230250dd969e5ad748529c2d2639741764b5f311f9b0fe8ba6c4fac7137c5e05b2106e50feadabd535e60d80a582fbe89a0010a5f8a10a791410239b1143cdd8fb151212eaf5fbd1a4a359c8484a3be22dea4c5180520468170d205d6497c7e76b721e9d4d22317c718d295411dd261e7179505d9144671ba3774a3c74d12afe8d357aa13ccc0c68ec3556400c4b0e6958e0dce2aef0e0dd16ee2704597fac79d93e3388d3738d6d27137b90cf74b5dc3b6d2cf0d0c01fa951f594b2b17120f689bc84d63d91127f8c37c952f2711267280eb39367a585f483ebd43b899d73e5df6fbf2bb3888474ddad5c905061b978f31e36248d7c22a6b49d9e01b484b29e08822d6defb19a33089384456a76dd935e509c5208813f85b64cacf5c47a317d4cae456be94ba92f256c89b3fc52064c05983bec278e6c9349700a5fe3d1c94481c2a03b16f03073517fe70d179949f51dfe5f9d9fd934ac1bba74aa252db193cd5618240af7292882f30e2c97ca51163988dc445536c3add5244ffb1717d9e2c6b15764d79babb5d56e439e8abe83cfb32b240f8d2644ab1786d2cbddde7e45d0ccfe9286755b4afdab629d4457d95ff60c07f370781db3cb731af69a28b3246bf873ea8f156b5459eab2f9b28a2b76ff615a78a49774999b834257f1f485a94e48b9e8e1df4078117d3c1e9990fdb1206328bf92a2e39e3d91ff524522ae3e5d5038ea371ee050beef93581ec5612b78116be52c9576a06fc0798a33f3156c17e9208966109cb36351ad406f842d5b0a5d416ea9cc96005b8e20af054a409186b00792438883d00d705fe1e5fa1edcd110229b9d6909816c873417eea607f7c6f4e335e4f059490a9a41910720c47f73510bc9a0b4694eb514e2d66cc1a7cab01122627b2bb4072acbb80d79a1629948adb0a0bac6f83b0ed7da09f9b19713c278a3d02957265adbeed3a274735704b756fd5ddfc6f249bd9dc0f80854ff2642807f81f14720215487900d4c228c526080593e313702d169e9eb6ea4b8d0b0debb8269028936a09a4dc19c0c6aae07362943ad34a30ddf289babec723d338753365bcdadaca5c85c87f48987219fc3ede94be382fc3c3505a3c4097d3cd49931c122ab11bf345bf4f52eb597e554c79e67e2a5d05fe65654aadaeb25ecc2f233ab9e7f933ef0a266f660927cf2cf8ae45990316f2dfa2515dbca153d5f0d16e34ab6cc713627d3dc18285969437aa4f95067dd3caea4e45c967807d88f1a941499d9df9264f4fb1beb52c121ce7e2697e881adece7d120d8c68ca85d7511b1cc2d34e86ad87aa267b8ba969b2e9e53a55dca5fba6e538935c16744656b66f15e672558c60cf51dab9351ebd73b537b208fed4903d0501f65354313cbf9b45ba18031b728a2d55298411164c54d5765d4e9445942745826910b9cf6ee7a27a7705b77ec959ea249e1b3b7869fe29cf4e73c5716f384b24f8a17649e86d880508a77cd7c0065d14427ced7532454028c1fc070d85ed26cbbfacbc513074de5c160d421cad3cb6283d2408fcfc2a7e7a1c4345976ff6a20044e5958e9fc51ab19cf27917cba304f62fe70afef94094a6c53c776fa6989de58e650a9caa5d635e1a25e0b663b5bb2087f60ff3aec7c71a80e45295bff9112e7e505ec73f2597fc8a4df572c6b27337c5a3b2390f1769f1d01e04788c6c58113577eee46114d5006130056dc1a325092d0c961e057659e7eb480faa7e82027ae289508db3c3aec75a5fdd48af35fb98c8f75bfdf6abf5164e661c6bc653b56c4d9913d7749107ac9e22862f92e047268a1eac28c64da2d2da570034296718ebdd9e7cfc2cdf23ab73545cabcc4822effdacaeea0e4af5b1628654c2a565512b9682c734d0fc94b833486dc0064268b64f0a57003b88eab61a2748ca46a51eb43a3af9377c92b4f704014f2ed1bda851a843ba7680a7a44ac3bd5229d52acb02c2ec5508db3a30e1a97572df48927fa6bdf8e904eb501e2a5db7a925a109a8347ef885a87b2aa1febdffc0d2eda3e88b9878a544cd0d2b8b2ad68377020947f1c97651a0f0829159665571be57038e32d9eed9e44c34fc915c87ba467cc765e3c89505c9f77c897619b4e0fb3682f685f8b289d9d4bc6f9cf6b3c32e8a1a95f73e62db1366388de0f6762554af4321e031b2a601cfd23e7df002148e16b90931cbb4630cf0d15974f992577e6d8477a7813475fd48a69d81f65eb7c869a647d3134ef261dde8da39c5ff5e652fa0abbf3251b4a7ec96a975800c3d73356b560f5bfa1498bd153da523fa9786e545406adf4dad4f83ff09dfc607598017b33037be22670a11b1d1b6e97f040e4a37932fb806b41b9dcfeaa012b46ebd38c595cd096314d703dac019ad5a6a13194e1346a59ee362285f7a70d612764a9d3b109c9bb4b49ea7b101eadcb6f55e5bf87c2f1573013d2bce2ce572270357cf1d7034d82299beefe359499ad2eb646c6bc6d397d21db259333223fd1bbbc3fe807642a6bfbf0e068662eb74392e5faa359a8a80663a6bd6edccf20ee361b8f98495610cfdc425331c37265d9797801048756203e8dbf93eb1c197ee23b20fa7ef57262a6a9c3b0d75f3b94205a14d2084ac95e24dcbf0b5463405df3a76161cf7e880430abb87a2126f44694ebe669951c3a37ddccb82fef90e202c1c5517dfba57dedc314d2ab97e951d242d959c12d494b0186648a8268fd4bb878c9e1035941e4c4597ee12a945d6b797a452df6831f48a6b9000c760fcc1a0d1b280144dc210d6dd143c64d7313bedf7b5e46e034dbb6c88e6b2f007f7d639bbc8ee4a6abcbd2d991805f833b11c8ec6250d6c12a93e83b2bea4ae63bc3e9bc81464568f120caf9fab0a4e7f78aa0af1198918f4215f98acfb6aa6f5c776b7dcdc18897c2e95f736cbfb9b57e5f55a3db27cba0847c5cd80ae9e011e0243696581bea53c79261608c6fc33cff4a9d841e540e4eeff840098eb81e0c37f0722b5c1ddbad27530fc78e2733299db491ca95278c0411224e3988791022a30b265ecdaf0245c090784642535006ddf90ee0abb3477963694a6830b99b170dbfcea928c11505a1863f4e4ccb911b83c3ee64916031892d7c6c41b011f6a38548383bf1c090b067ddc1a18e0567ca19cbae406c7135fb228a6ae88a452b386e9c9d3c8547aa99e771bae26953110777ca624c5a6635aca9f0caf3b8b3650ac230f2a9e0cd2c9e6871b8399d3b01e2f625b64ffc93c0093fc4403e27aaf13d8a74663fbbbe82a3c7c7c46eb3c5df7838627a261b68fb23f0e287542f57231c72bb088f981dc255c59c63fa5e2ab3c77ba8da4d91da2b08b5dd8f19e143c55521a0bcab36e58cd2935b567f6f5e85042325a51be23acabb2b51634c9ac940478a43badc1aed29f4780d541d17a7458b78f8880935f7ba4a6376842cf125a780e900880a543bd1b722c3e682b56a427c0ec46eb9e6866df6dd1752da5f0b9147f3c1965075a5f9f3fa2cf93f3bac064e3619bb760dc0be2791da0fdf3d7dcf473cce65812ea4dc756328f37a58e2bf7d1e7c9b5158569c52b47406143ae5e86f19fc978b28d084c60b75b3a05b13400000006cce3841afde51879486de4e5690a48f92f30c10f846f265bb7681b8ead72fef2a6fdf5a5a5fcc9f81c68d19e61afc2a7f7c6e371d92b2b5d01a6cd35e09fbf9 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001800081D20D692" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\paper_x32.dll,#11⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵