77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189

Analysis

max time kernel
167s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Size

20KB
MD5

0e0e15922079f6e79a6f4214a922c243
SHA1

fa623fe110d48e9b4c7d7604adb9045d50081501
SHA256

77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189
SHA512

ed56129e061732bbb4bea0755c0b52b70694202b18e4f810beaed653e8973da6a86bbd9ef45b8edbe0b31f379244c6dfe15e005fb59cfd563eab20b2734faeaf
SSDEEP

384:n+GuAZMyoHWsPBp1NAdjh/TR8PviE/zlEi2nFHpX0AoNj+Y:+G3ZAP5ij/TRGKES3xoYY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\—„Ðøn.dll	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
File created	C:\Windows\SysWOW64\tf0	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
File opened for modification	C:\Windows\SysWOW64\—„Ðøn.dll.LoG	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\InProcServer32	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\InProcServer32\ = "C:\\Windows\\SysWow64\\—„Ð\u0090øn.dll"	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\InProcServer32\ThreadingModel = "Apartment"	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\ = "MICROSOFT"	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Token: SeRestorePrivilege	1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Token: SeBackupPrivilege	1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
Token: SeRestorePrivilege	1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
1820	77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe

C:\Users\Admin\AppData\Local\Temp\77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe
"C:\Users\Admin\AppData\Local\Temp\77f6a54df5bfdc3e78a86bbe384a05f45cdbe58f7e4c7f1de07a1101fe342189.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\—„Ðøn.dll

Filesize
252KB

MD5
6e8d4550a0570c558ba416f5a13fcc84

SHA1
2f4c80ae426b099837b44b3a229943e439542bad

SHA256
c53fb87a0e5f7c6376f443e94660c37df5b1c20171f18d72022fb710849dc694

SHA512
f30449b80a17df186589fa73f1b3d36cb67e7c0a1de367a7ab5a6ec51b8b4143e2da4f04e90068d81259b9a2edb901853208c9e553a912477549da7df63b6646

Download Submit
C:\Windows\SysWOW64\—„Ðøn.dll

Filesize
252KB

MD5
6e8d4550a0570c558ba416f5a13fcc84

SHA1
2f4c80ae426b099837b44b3a229943e439542bad

SHA256
c53fb87a0e5f7c6376f443e94660c37df5b1c20171f18d72022fb710849dc694

SHA512
f30449b80a17df186589fa73f1b3d36cb67e7c0a1de367a7ab5a6ec51b8b4143e2da4f04e90068d81259b9a2edb901853208c9e553a912477549da7df63b6646

Download Submit
memory/1820-134-0x0000000000560000-0x000000000056E000-memory.dmp

Filesize
56KB

Download