Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
08-04-2022 13:18
Behavioral task
behavioral1
Sample
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
Resource
win7-20220331-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
Resource
win10v2004-20220310-en
0 signatures
0 seconds
General
-
Target
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe
-
Size
131KB
-
MD5
c4f79edc4498c5570495bb36fc942134
-
SHA1
00046b588252502480e8e708a22d25ae1d9b05fa
-
SHA256
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09
-
SHA512
07bdeb39b35835a752886c2d308a68d263b36e8372d2bf320ede5b85252d14e284985d0889dfa9fcffec7ede7c3585a46cb0165b00be903755ffe63cacb21cef
Score
1/10
Malware Config
Signatures
-
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018C0050AC0C444" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018C0050AC0C444 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000460329b580f26328a96bcd52efbdfe14bed7a92cefb54929d1fcdcbc1e510fd8000000000e800000000200002000000075443e412d8d767ca89c805f8d308874dbd7b7464dd8d0ddb107b2d00553807e8000000096a2f17d00276f0303c75dd6c265a0727c37fd7bd4ac14b87f34959dd3cdea8daefe91301664bc4625171e9f67ba154621897de71eb1df6c277b93583e9f649e1002dfdf8b982eee9681f0f1bad77183adb4ca4bb7e84aef310527b448fe8e90d1a28ebcc2a4e48d492748814c1010a1649036b4d342962460b77cf0733e78ea40000000bd499d509828945b76eaac2016cec8e6c07b465ac45d71ebbe906e2d9c69359a17ee652f3156fb99c20c7a4e9c3f1d97ee7ce81f1c6acc9cd949231a068113dd svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000e8db99e9183712524a3fb106a7986d50bd84108d4f2efb2b46faefc6ff81095c000000000e80000000020000200000003caaac0025435df9e9202f9d583b0ac2c725067dd9ee69d09d2fe3b8e5a1b2a9100d0000f2208e631a4258caf15a0e67d15a2e0b322e013fd349a0fba854a4e11cfd2c9aa5c344cff0167564c985a08a72e8926cbdee3dc6b66af554b699b7056ae4d42d0b577d7813ac127993b53c73671ced91fc117533d126624d218d46601f736cc3c833c22f1d61dd2a0931a8c0ae401a674f1c4facd823e5c728e257af7fde4b3f7e7a45a18afa9ff9a039329ea74327088a61d6c6c51a4116470e83c10a7f0b96187fa44dc91ffb0744be503526784ab90f911aa62f327c6fac6875e005717736974c2083eb0c23dc74d0bb5fed36a90aa2510e861d321bb77adf44e4b88845dc8284e60b357b86e3cd8d28335ef27137faf5145f1246134549d9354f84187904f7e146b4731dba9fab84d84d0aa592d50af71281c7b94aeff705585620f9c7b9d11b3dcbfdfe8f423c327ed2d87633bca1b6f58fbc95a6bac551326b593c91bedfffb97bd80aa276a41294b2e677e932686f2714947be6d9cf7eb38387c7c9ad570d91f1d2b9765c15e2c3534401a773e79fa3b8a313db53fbb0427006c0484d29b9273ad3b2e7b0fff02505a3054debee30ca18f1417ef6e4718e9a376558fa19f564c76169e4da7e97b958c0a7932702ae459d5bb0a2f50bca6c22029e186bcdc0d89d59f5fb9ce0f94d412f786d7c99350f85e87938d1c214044b491fb5ec66da34145422fbb5a3de3faed2c0bb63d36f1b306cb9bd6b0137f1eb1e7b8cdc3ff67ae6a5a55580658d6108eaefde087ce7a3c1b44d301be5e0180ba7c02f583f78b9077b402976ddc8b050fe655bf009aaaca9f6e54ec50316bacb33c3ba0316b967307b018fec3efb6d4d491afc4ab69974f6a98ed8a59d88ce02a85a0e5a8d71f3b0fccf155ba48040c63d769b83281efb2bc373726490e1adaa4e1269c2260d96f7462fef7b047ac0b67bc8ca88dfb64d4b936d57fcff846d586c3ee8028d8ab3f63345f5a9fb5cfeed72315424fe593466a04fedf8fc2aa26ba1c2fe230e613dd2cc6cb672277779e3bb1d4b2235e0179fb2b6fcec339c4676a331d657c437be08a0887b1adc19bb6f1080cad8d21fecaf26796da037d385057e0adbcfcb03e8e9acc4ffaa08b937e1271e377e8315abdb6d56b5ecdde09ea6768b9c805a87cdabf97cbfbb268506d848f6f3ba203af6eaccb364c7152590140e45be4d919d16120c702ded5d9a1d493f01a67f38d120b5796f1a236e5ab3647ad73599ec0d3a5714f1992f011594034994a5a02718ac125eb2dc87557b614732c123f9863ca2250fdb663d20fc4c3aa0dd6c36c679c333f1cefa5e7a70fc34fe5346e46b083b2484d26fb236acc7f82c120329b84d368f5c64d50f0b989905b84fdf24e59eaba5cff337145755fc8be321f76cbb6041a93c2817908efbbc43e06e70e023e30a33ea2eccd91495662f1c86df3adb955c53b73c98da1bb3edf151ff92b27eacff8aaf37126c5131b7378ef3aee9ad7f909aed6c21ec4e250cf3ebcc32214a52d284f7908652488be55b1eb1850af49f00226d87a4f345c1c10cb028772a7f4d9b19e4a8fd47659be5cfc54311230998c68fa9f670c34e55989502152cb56e811c861704a521ba8b4df85e8f878928242fbe378ada8686976c7f1a85b670d911ba6f21eed3c4d25cd8ef75b23363c371aa67edf7f78bffd67f6599c432e01ebc3878abce21435a1f402f9eb308ac517b0f18473c3856d28d93d228b0181b3c9806bd00dde93adf52e72083499c53f020ca552d49e42c45eee0bd3aa0369533e28db9e902ce717fd6170c5494b9f3251e8ed6684266c7b66eca621d625701ecd02f82ccac71906099a561e96579a332448a511cc9f8c7780cd4b414a4ab26c0439c0dd19d5dc41bdc5c3c37d5287acf7cf9de52af61fc3aeec25767646fbf4608c275dd72707432adc00084f9d3f1972b0d53397ad505974bc6ff4e1f2dc3ce940d3ee1d683085400d343caff9495ca25cbe46bb99c43fef39f314d92a403ee02303290bb8ec289a28c6bf3ac18a19a5b282a46ccc941d2306fe77774826632151429673291e8915c97cb1d1290d36a09620be19c89a0d0d0beee3e9c11f83bd94fd4d3e2aeffd4303b367d66c7f2a9e0e59bfa086906bba5804db95b750753fb44dcaf9d056cbfef0527ccb0827bff8ba8fa2012e39cca1a71c6bed6705e1f6c801f5c260cec54dd53095799fe93a686238de41fa8e791e1e932bc0b2046a67ce1e9bfe7f157fb48aa41ad0175f50eac2d024aaa8e0224fad311fd0a8a702fba9476daee6159bd29c0d69c26532403de7d39eaf59f22f908555ceceb0cc4ae4e182578cc68879b7deea0c90eedd9d461ead8415dfc4b6ff957788db893ce9f93c8dabc52621325c52fdb48ad85cc5b1af99ddb6fcf9aa3e6fb96dd82a92ac7142e6ee13d8e75441f853baa42641686bc860dacf9534725736bcfd6949714e878b0461c52f59793521068f5be95141ab8aeb8984aa55fb0221baef7f5f0bb32fab163a3240b37e80e80d64f3b700000bb91f43439be53a8bd8f3487a6986add28005c025378c25d7c210169acd760b901d3a1a138adef8938d7fbda1b4f46091dc57a2b0d0f76b6795f62f00227874567cadb16240cc790399e0fdd43e7b3a1ce0f0fd3d99ec6213c64aa3068f3f8f32e343903186fdf80ef8265fe11e5bbcac9d27f9bf8330961520ee37fb69d0a7880b55f0247de64551275513311b40278433bd86337538ddb45cd69bd578ad5597f72a033b88c5dafb25297918d89a96d1b164e5a4126491af638423fef1197e5cb81f3b4cbd3b9617115a8329e69a84d7b85324225f875d76e5241644f84d993991a42a63dd70a5b8fdace5b02503872e350c813c00da8a47703ebf889859780eb65d5e48707334b39e65212c4065db94d25e2af0fb81b02b8c0a2aeacce141578f80f8b43e3d922a4ed8e01d783672d416477f2c8ebabd378273fdc249452311b65c62a345946d0079606b444005fcb66150cd27f651bc6b93a2afbb30070f29bd8230e019b69528661b604794448202ee062c42a421b1896e8d77f9855c05de4d10a5079ec10ad9db366ac894afcaffed20dc7dd8f5faef29a17a3f71e39c5d641bac885bc2b5dd9bf23d2cbba3612439d83c8626042cffb80dcce900cb6a052ebc6551094cf33f1505ca0df88ef38ad38c8aab1242f817595271fb4818d04c73f34f008c007f3b96863c4f25df8a65cd736079beb93fe4d20c244b526b31e447e9ffd6be7e3c4c2a5d7805a070c952f2a6c1cea03b5d1e18a297c5a9f847e4aa3a1cf20f955442bbb93eeed04d9c37073351e57982cb8137139d556ad1432abd80e1b61ae6b12fe18bb7beaf6470e00a1b591320d1ad74e2c1e2dece70df333ff3fcf9c1a142909618ba30bda30d4e2ba2b6965b86382b965a1004d75044ddcbc5444140f985dd55e1d97bdf53ae3126f50dd43b74081271c59066095dac6605c7fa4370feaa5cc0a2fdf3641990e364697efaa620b064194309bb04f47487f27282fd842bd6f1f4a9a31141f81a4e482c64651d4f9ac6207a2d3707be20e1dfb07fca065503903bae22082ce697b1e9e7eb83788a090e4750c11bad2df9536e3078b0b09c154a3c273dd19a424ae20cfa344524ab8c9fcf478e56faa9dd4a861107c7cde33f1bccc17ccec8e5c6153498c6cbaa7bcc6ac4860d705af01fd9c960101b4ab969ab2f0e88c5f42a70888b762448beaada1693cfce7e0320ccebbc9c1cdf836a3ca6f9ed03ea83364a9167564e8e8e777365c5a8632b3ffc53c343a3fa5613f374e63e9e7d2a161b37c375f4fbbbadee6d067e73210f04993a8cda2216140c836066b5e21fc3c3139ece7a11259e947cc423066c3f6ab27164030e7bb022e6d74394a95118e20e9f428509e1d34e782d6951389c926c96145a5481c79ff57f9dbb4b9e556a2d72debbf9c1a1ace64a1d17f3d47f792ef3ac1c34321d35718dd4d6ee27837303cdd7feec61c5c4f8d663a938b8de38c132e0fca65284436715d5570d3897038f1282bde89204ea91e2489896f516bedf76c9eeadd87d3bd21ca17c10f2539b6ea6968ce12dfa04847ebcccee89fa92484de9a9f41a34a0a37aad91858053debe07be30577a4dd0322214dd96e70728cb828c411be019f0ab2d4ee8517222aaab6466074b8b6ab4d8282a125e2b33c5d41bbed6a4e91ab3094d8e5001f35e2a1921c1eb21a42519d3d7c3eb6336d6500081e94d66b754e4e0b3d600918045bc47b069620f511d8af90651ecaa8ea85e16ef4f9131d5fc20d0c745c246940a2300230dee522dd3b79969535f74886d1e5edb533ff79291a3438d2b2d671b87b04c6ac975ae96085cc14b42ee25c83bc028af4f86644250828b0cabaf009fc5ad6aebdf6b9518450757fe2436cd8892f0655c93e2d7fdc5b93cc882de3be98f241240186f99f4ea81c6e43fa3336f16719d324f9a8e65592d3759383d8c65c5d0e6f2587cc9880b17206f5f1a050dd3e05b455ba156c45dc2eac6d324175ff56df9c135f113dd1a54097db4d787393a131e6535db2bfb16614bddba2c950ebe0d85a65a93646d7998dc6001a9039c215db7194c038951ccf10cf990464956f403eddee73fffc5b76006a1df5c607cbd11c9653dca7c1564afd62f860749818463843da35e1341ea9879a029ce08e55408939a3f47e9b4e70614a7f763be46ed8e3c8702295c87f6de741a6b81a6f8afca885789140000000aba2b05e51cfa92f91dd27a95b50039d4da8065582acf7874ef1b532659cb44bd5de4f06376a19d4959ff3607d57d017122894215e615450177424341da0256b svchost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exedescription pid Process procid_target PID 3636 wrote to memory of 3296 3636 b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe 81 PID 3636 wrote to memory of 3296 3636 b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"C:\Users\Admin\AppData\Local\Temp\b33d569af5e490875d6473c6402797ddb4ce639bb1f1cf7f67698eeafa625f09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\system32\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵PID:3296
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
PID:880