d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4

Analysis

max time kernel
2s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 21:14

Target

d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
Size

67KB
MD5

e06c5c9d406b73bb0665dc046c662f8c
SHA1

a941cfece821a5b79a1fc48aa7a103d7d55544e4
SHA256

d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4
SHA512

dcc158e024f799843ad74b2935ab85ea6178e2bb5417853a3425ba3a17495e5820e6624b143dd823dd91cb7efcc932fed4eaac1f47b3233a2a7b8227a6818324
SSDEEP

1536:83s5WSkX6kCYqZc+QecwXirSnygf+kAgYOst/5E:83s5WvX6kCYqSnecwyrSW5ffthE

Score

7^/10

Deletes itself 1 IoCs

pid	Process
900	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.DlL	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
File opened for modification	C:\Windows\SysWOW64\d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.DlL	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
File created	C:\Windows\SysWOW64\xxxkldl3s.bAT	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4C3C044-CE6A-4117-9D18-C1EBEC80D2C9}\InPrOcSERVEr32\ = "C:\\Windows\\SysWow64\\d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.DlL"	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4C3C044-CE6A-4117-9D18-C1EBEC80D2C9}\InPrOcSERVEr32\ThrEaDingMOdel = "ApArTmEnt"	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsid\{E4C3C044-CE6A-4117-9D18-C1EBEC80D2C9}	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E4C3C044-CE6A-4117-9D18-C1EBEC80D2C9}\ = "WINDowLaNMAN"	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLsid\{E4C3C044-CE6A-4117-9D18-C1EBEC80D2C9}\InPrOcSERVEr32	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
944	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 900	944	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe	28
PID 944 wrote to memory of 900	944	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe	28
PID 944 wrote to memory of 900	944	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe	28
PID 944 wrote to memory of 900	944	d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe	28

C:\Users\Admin\AppData\Local\Temp\d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe
"C:\Users\Admin\AppData\Local\Temp\d9bb7d6148ec822245a9e6d3350b1049d9a1c7050f79f7ff763c28fd9bf78da4.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\xxxkldl3s.bAT
  2⤵
  - Deletes itself
  PID:900

C:\Windows\SysWOW64\xxxkldl3s.bAT

Filesize
248B

MD5
2965f0c08002bc38672e1f107adb02f7

SHA1
6da6ed782839dde05e56fd6c442ee6ad58c177ca

SHA256
e3e706d7d5cebce7c616f6ed80cbac7ed9319880b2c775ab8ad1de1e0acdad47

SHA512
b330543993da3dc8a72da4ca4c788c35cbfaa408f9dd179dd2908c81e75f44690940397b568fee68a47a54354c6e02d52f68de2f9d9f524379b91279d0d8c572

Download Submit
memory/944-54-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/944-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/944-57-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download