a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5

Analysis

max time kernel
125s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
Size

442KB
MD5

760359f0570391b612527c52db4bc72d
SHA1

d5f01b460a682ac9119490ae2efcfa727c763488
SHA256

a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5
SHA512

03e888f153acccc1a4e17c50087f583cbeba3f1a4097c916039172cbd3ecd03bab05a86330ce4c23a31651a78544b6a64f0e58d55097c9d1d1b66f3b57d5605e
SSDEEP

12288:VNMXgN2zjl7rKecflXrQxwHXQUBKymTdP4ch:VNMXi2d7rKBseHXzPgQch

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4316	IIS.exe

Loads dropped DLL 4 IoCs

pid	Process
4316	IIS.exe
4316	IIS.exe
4316	IIS.exe
4316	IIS.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\WWCBJR.DAT	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
File created	C:\Windows\DDTLZS.DAT	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
File created	C:\Windows\IIS.exe	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
File opened for modification	C:\Windows\IIS.exe	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
File created	C:\Windows\uninstal.bat	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
Token: SeDebugPrivilege	4316	IIS.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4316	IIS.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4316	IIS.exe
4316	IIS.exe
4316	IIS.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 1960	4316	IIS.exe	82
PID 4316 wrote to memory of 1960	4316	IIS.exe	82
PID 2112 wrote to memory of 4136	2112	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe	83
PID 2112 wrote to memory of 4136	2112	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe	83
PID 2112 wrote to memory of 4136	2112	a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe	83

C:\Users\Admin\AppData\Local\Temp\a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe
"C:\Users\Admin\AppData\Local\Temp\a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:4136

C:\Windows\IIS.exe
C:\Windows\IIS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DDTLZS.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\DDTLZS.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\DDTLZS.DAT

Filesize
55KB

MD5
6853cba3ccc11699c2d840f41c10393f

SHA1
80a430dcc2cb34b05d433f0f63b8ef8a6a09bbe3

SHA256
0bcf3f4ff7862cd885003b8ecc4d424a2fd418fd64412ffe95a9c4221cc3de59

SHA512
a02fef8b7c721459fa6f081a1208bf8dd84d957663b4d711b9f6f1731deedf977e5a391ec7481797da7a594c3dd133e84865133855dcdbe6da2128887270114c

Download Submit
C:\Windows\IIS.exe

Filesize
442KB

MD5
760359f0570391b612527c52db4bc72d

SHA1
d5f01b460a682ac9119490ae2efcfa727c763488

SHA256
a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5

SHA512
03e888f153acccc1a4e17c50087f583cbeba3f1a4097c916039172cbd3ecd03bab05a86330ce4c23a31651a78544b6a64f0e58d55097c9d1d1b66f3b57d5605e

Download Submit
C:\Windows\IIS.exe

Filesize
442KB

MD5
760359f0570391b612527c52db4bc72d

SHA1
d5f01b460a682ac9119490ae2efcfa727c763488

SHA256
a00caae95436a258fc1ce22429d46860563a836554d46be84c2e9486c4ac17b5

SHA512
03e888f153acccc1a4e17c50087f583cbeba3f1a4097c916039172cbd3ecd03bab05a86330ce4c23a31651a78544b6a64f0e58d55097c9d1d1b66f3b57d5605e

Download Submit
C:\Windows\WWCBJR.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\WWCBJR.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\WWCBJR.DAT

Filesize
51KB

MD5
d58f992c53515c9f1fb9394a46f4cb48

SHA1
1f9909d227b93be10328e0abc64052da984657ba

SHA256
50c6b8848b0a9cf6a6b579928dc6e5c75cf7564c19bb7b40d86ba9d360ebb040

SHA512
3a87c279fbbbaff2bfe791c523716ad092c41099b8914ba369565014502d408084259d4efe6896d785c024935b181ca34cf49e3b79f3f1a89ee1c9d775635d94

Download Submit
C:\Windows\uninstal.bat

Filesize
254B

MD5
12834b8216bd4072f2ff4f45e875b68d

SHA1
067a65728d8bb5473bf48cab26b4aecbac6562ac

SHA256
2d2662668a264ba94d3e2e04a313aea933be619b08f02d4c880f11b7da38ecc9

SHA512
6db3e7eb07fb5379619ec6b935f4b6f6902dc953de1911203cb285c5ca979c23d94fcf90a2ae1af176aa19c08a13f0736583288ae775a9e8daf24853c895cddf

Download Submit
memory/2112-132-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2112-134-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2112-133-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2112-148-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/4316-138-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/4316-146-0x00000000017D0000-0x00000000017E2000-memory.dmp

Filesize
72KB

Download
memory/4316-142-0x00000000017B0000-0x00000000017C3000-memory.dmp

Filesize
76KB

Download
memory/4316-150-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download