88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196

Analysis

max time kernel
153s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 03:51

Target

88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe
Size

716KB
MD5

ea9ab0d64e6648f9feee920ae60f1c0e
SHA1

2af19e6bebcf278687c4f797bf0ecb9ff84ec2b4
SHA256

88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196
SHA512

9d0399a46df102c8cffd4c60f8a4d78dd7c86d04b454f8b921a971af3085556789592be47e2b4c25be5b5598c702e2b403778017fd8343bd7bbefab8bc9e2ac5
SSDEEP

12288:jRyTSktU4g/n/t0EW5A0zyYvJwQ5oAlK+GE4vebIk6bQQ52LgRg08y5HpnK9V:dStU4gf2EW5A2DJr/kS4vGIk6v3Hg

Score

8^/10

Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

4056 svhost.exe

pid	process
4056	svhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\svhost.exe	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe
File created	C:\Program Files (x86)\svhost.exe	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe

Drops file in Windows directory 1 IoCs

Processes:

88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe

description ioc process

File created C:\Windows\uninstal.bat 88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe

description	ioc	process
File created	C:\Windows\uninstal.bat	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exesvhost.exe

description	pid	process
Token: SeDebugPrivilege	2636	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe
Token: SeDebugPrivilege	4056	svhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

svhost.exe

pid process

4056 svhost.exe

pid	process
4056	svhost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

svhost.exe88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe

description	pid	process	target process
PID 4056 wrote to memory of 2548	4056	svhost.exe	IEXPLORE.EXE
PID 4056 wrote to memory of 2548	4056	svhost.exe	IEXPLORE.EXE
PID 2636 wrote to memory of 4152	2636	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe	cmd.exe
PID 2636 wrote to memory of 4152	2636	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe	cmd.exe
PID 2636 wrote to memory of 4152	2636	88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe
"C:\Users\Admin\AppData\Local\Temp\88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4152

C:\Program Files (x86)\svhost.exe
"C:\Program Files (x86)\svhost.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2548

C:\Program Files (x86)\svhost.exe

Filesize
716KB

MD5
ea9ab0d64e6648f9feee920ae60f1c0e

SHA1
2af19e6bebcf278687c4f797bf0ecb9ff84ec2b4

SHA256
88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196

SHA512
9d0399a46df102c8cffd4c60f8a4d78dd7c86d04b454f8b921a971af3085556789592be47e2b4c25be5b5598c702e2b403778017fd8343bd7bbefab8bc9e2ac5

Download Submit
C:\Program Files (x86)\svhost.exe

Filesize
716KB

MD5
ea9ab0d64e6648f9feee920ae60f1c0e

SHA1
2af19e6bebcf278687c4f797bf0ecb9ff84ec2b4

SHA256
88064f99acec119fa6bd7405c52ab427695b49a3876fee6e083a4360553d0196

SHA512
9d0399a46df102c8cffd4c60f8a4d78dd7c86d04b454f8b921a971af3085556789592be47e2b4c25be5b5598c702e2b403778017fd8343bd7bbefab8bc9e2ac5

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
93fa426826e5ef9d8f9d8aaf8afddc42

SHA1
9c398a67bfa300082dc2d3a13fe25764e7f795f6

SHA256
313ca514754b039e45ff655624af2c960934f8fa22d0d92df400bac89d7e6405

SHA512
d6e448fa96d8283e80b8ba4c0aa895aef42dd504fcf92266a08f094d0785d56e7aaa9b391db143ac6fe57a464c5cbf64b1dc69ccb0a18c444ad6fd43efb247e8

Download Submit
memory/2636-132-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4056-135-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4056-136-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4152-137-0x0000000000000000-mapping.dmp

Download