10bc5ff2aea597c2c37d82af8ad997f3ef08bc067a451e890614618bb44ba707

Analysis

max time kernel
154s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bec4d1d2a6049039896ce44b1ebad45.exe
Size

926KB
MD5

1bec4d1d2a6049039896ce44b1ebad45
SHA1

1f33da06e9c1a50d5c9fd623184011b08cc3adf8
SHA256

10bc5ff2aea597c2c37d82af8ad997f3ef08bc067a451e890614618bb44ba707
SHA512

996f6e73b190b52d246273710dabfeab5a61b1a461e1f6e32289ef9ce0098e258dd3b52ef76b53777a3e574690a8b753bb5b4f6a5295a11ccaf0d819e8c9266c
SSDEEP

6144:hvO2ywiiwfg5gAgW8lNiofT8DPl0LIp24ZxRRa7oBi2af/s1soFqheAY1GTPZ9hf:tiiGg5gAgxR00LyQYixnziIPFoA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4848	HomeLock64.exe

Loads dropped DLL 4 IoCs

pid	Process
3324	Explorer.EXE
4676	rundll32.exe
4676	rundll32.exe
4676	rundll32.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wxnotify.dll	1bec4d1d2a6049039896ce44b1ebad45.exe
File created	C:\Windows\SysWOW64\baiimg32.dll	1bec4d1d2a6049039896ce44b1ebad45.exe
File created	C:\Windows\system32\wxnotify.dll	1bec4d1d2a6049039896ce44b1ebad45.exe
File created	C:\Windows\system32\HomeLock64.exe	1bec4d1d2a6049039896ce44b1ebad45.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4640	4676	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4848	HomeLock64.exe
4848	HomeLock64.exe
3324	Explorer.EXE
3324	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	HomeLock64.exe
Token: SeDebugPrivilege	4676	rundll32.exe
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE
Token: SeShutdownPrivilege	3324	Explorer.EXE
Token: SeCreatePagefilePrivilege	3324	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4828	1bec4d1d2a6049039896ce44b1ebad45.exe
4828	1bec4d1d2a6049039896ce44b1ebad45.exe
4828	1bec4d1d2a6049039896ce44b1ebad45.exe
4676	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3324	Explorer.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4848	4828	1bec4d1d2a6049039896ce44b1ebad45.exe	91
PID 4828 wrote to memory of 4848	4828	1bec4d1d2a6049039896ce44b1ebad45.exe	91
PID 4848 wrote to memory of 3324	4848	HomeLock64.exe	35
PID 3324 wrote to memory of 4676	3324	Explorer.EXE	92
PID 3324 wrote to memory of 4676	3324	Explorer.EXE	92
PID 3324 wrote to memory of 4676	3324	Explorer.EXE	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\1bec4d1d2a6049039896ce44b1ebad45.exe
  "C:\Users\Admin\AppData\Local\Temp\1bec4d1d2a6049039896ce44b1ebad45.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\HomeLock64.exe
    C:\Windows\system32\HomeLock64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
- C:\Windows\syswow64\rundll32.exe
  C:\Windows\syswow64\rundll32.exe C:\Windows\syswow64\wxnotify.dll SetFilterEx
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 704
    3⤵
    - Program crash
    PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4676 -ip 4676
1⤵
PID:2468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KSafebin\conf\ö..\2345.資料

Filesize
263B

MD5
80e8e699ed210ff534783c3aa2c26a4c

SHA1
819fd53a13fcce95af365abecaac83cd7ee95705

SHA256
a0c70f81785a94727c7769b0a63381e4ca7eb413b25ed09a425f7972fb179dc8

SHA512
2da2e065d47b740593b31742024fced361e3db8097426446ac8ad0d7c0b6b6994ade99ddb5139dc8e2fb342f0c1ffd6c4b3093174b509a76b4309e589359e917

Download Submit
C:\KSafebin\conf\ö..\ksafec.dat

Filesize
128B

MD5
7c1d3aafbd448d5e247bbeb3df0e7f45

SHA1
63e60be3e78cdb41f19c21c3333e1cef625185e3

SHA256
7c3f51f974c4f8f4bf88c402e8ea110750feb1ad42c49fe3e0659bde3a394c62

SHA512
b879e90d60e8b4e064b22d9bfa10d48098dc5a9e26e6872a1377d04e6094ffb6ecacd602c2a5883f79b89011c378f7d965228326aa5e2d59d18ea5273043cd29

Download Submit
C:\KSafebin\conf\ö..\ksafer.dat

Filesize
2KB

MD5
4830ab6f34972970a7d6bfdb5e92e236

SHA1
ca69721f231c3b2243657be4d1f74e039035c982

SHA256
981887b17eac1309ced7a34116808ad3c15e4ef5523c96f948b1d9a07af7d414

SHA512
219b001f5f6944a5295c417315f84218c58798e043b921866e6a729855814f49b897b6f0d97d93e006b9f2bfb6d2f78756b9d05261e28d8e3fe1ddd00586512f

Download Submit
C:\KSafebin\conf\ö..\ksafesvc.tat

Filesize
373B

MD5
15858f6fc5fdca0f2fef6018859f77ed

SHA1
467bea8772f9f43c04088cc03472c805ac29ba19

SHA256
b73a32be2c2e267ea08bb9b3d24f9d2c782ed0c3da71bb7153efb29df3ca8bdf

SHA512
dd2f61cb10bd1f8185c7682c8b144d4b8b5045e11d793fc9014bc3592a182a18c799b22cd121d7c38e947b57d7a013ad1fa9b8314ed1754cf1f993c8244e9326

Download Submit
C:\KSafebin\conf\ö..\qmvext.tat

Filesize
3KB

MD5
59ccdec24b3cefd06c64e787ad6c54e6

SHA1
439d1082bc481c8a2b9b2707af02390b980d581d

SHA256
c4d027c4dfb864524b77ae72b89f275e50118b9ad33f054cf46e4cb583bc641a

SHA512
b2a2c3a41093046e0ac49f180aa65cd5672639a6065af157bbb945dec0d7e8699e78b939832f3d1412995d46b4797e0d13b7c791d6ddc215ca696b2c28e9873f

Download Submit
C:\Windows\SYSTEM32\wxnotify.dll

Filesize
346KB

MD5
6d6d41c4e142bf58621f5432c73066c4

SHA1
9a2093b291a97f5294e2be03d688e83e0d7d1c26

SHA256
758eb8a1e77b405859bd5d159cd786a11affa6157ed7ede8651c3de59fa8c7dc

SHA512
8d38b2f6e6ee541b6ee821cf44bde39b4fd98398ce8701a6d7566f2edab2d6bbe65e31d9287b928d6b5ff6a5ecbfe3361b6a044f9920a6f7ab54b37326680222

Download Submit
C:\Windows\SysWOW64\baiimg32.dll

Filesize
72KB

MD5
64615e68077137db927b4e4e707a050d

SHA1
1f349304b0c6c4dcc71d9a0264feec6001390bf0

SHA256
17c836194a62e9360215142af9fb7ae63623c2115b9682fa0717b36b3af35d34

SHA512
223385ee6c5dbbfb85a402466312ab9a0c9c8b77dd17049d4be7161960d3912d61d4aaa0c371d9661b392eb55b3ead1462f310af2c81515e1f6d28763866e4ec

Download Submit
C:\Windows\System32\HomeLock64.exe

Filesize
57KB

MD5
e213b743fa4e8a4487308651051e069e

SHA1
b35729a5fab71222f753d4215fc5da1fa5194d25

SHA256
6281b013e90b53741f7da32ae77394fa1271a8ba614754ea013591aacedeb072

SHA512
195dcf3666ad8419679c250c33f4b0ec91ea534aa6c4c0c10712f8fd4a8002bd1cb5f5b6d1bd87083a4a19d6cb2584e1938ceebbb374f3cacc3aa0d95449d80f

Download Submit
C:\Windows\syswow64\wxnotify.dll

Filesize
256KB

MD5
47659d0620f0c3240041c7351e29077f

SHA1
48139222e01bc1b2b8411cf077c87aa48f90c9f6

SHA256
274fb653b33b94bb3f81209a92a040eb50a1f7423bcb69328252b1247b6790fa

SHA512
37be9a5bed2f2b57dab7bb42ee3a973181ab1f09ec0efdce4a03b8df220c5980f158134a6b631b03ca1c797d04254ee718ecfcd33954507e0722692a2fade291

Download Submit
memory/3324-38-0x00007FFCD26E0000-0x00007FFCD26E1000-memory.dmp

Filesize
4KB

Download
memory/4676-43-0x0000000002B40000-0x0000000002B53000-memory.dmp

Filesize
76KB

Download