d47cd0dd8b41a0b4ff12b4bf8484af9bffaa6a7db232cadd76d19b7eafa151ea

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 04:00

Target

527126441f127d0acc6b8b7b6cdffa51.exe
Size

8KB
MD5

527126441f127d0acc6b8b7b6cdffa51
SHA1

a5f321715f74c31543d518f3fd72052d600ea550
SHA256

d47cd0dd8b41a0b4ff12b4bf8484af9bffaa6a7db232cadd76d19b7eafa151ea
SHA512

3da97c2e6f06b7915bd267b873550f0ad94c4ebfbd98199c42e7e65358d0f28de9fa11a3438a633dc04df815c217dda34b132092185d723ee2b3265772c4bb96
SSDEEP

192:ll5F9JdXTJJktHmoC6vKW4zGiFPBpGlqFdap:3jddJkt/rvKDzGiF7dY

Score

7^/10

Loads dropped DLL 1 IoCs

pid	Process
2216	527126441f127d0acc6b8b7b6cdffa51.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dadoor0.dll	527126441f127d0acc6b8b7b6cdffa51.exe
File opened for modification	C:\Windows\SysWOW64\dadoor0.dll	527126441f127d0acc6b8b7b6cdffa51.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8CC4845-44F8-9053-441C-28F2EF67655B}\daSobjEventName = "YUTDFGHKHCOOLDA_0"	527126441f127d0acc6b8b7b6cdffa51.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8CC4845-44F8-9053-441C-28F2EF67655B}	527126441f127d0acc6b8b7b6cdffa51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8CC4845-44F8-9053-441C-28F2EF67655B}\daExeModuleName = "C:\\Users\\Admin\\AppData\\Local\\Temp\\527126441f127d0acc6b8b7b6cdffa51.exe"	527126441f127d0acc6b8b7b6cdffa51.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D8CC4845-44F8-9053-441C-28F2EF67655B}\daDllModuleName = "C:\\Windows\\SysWow64\\dadoor0.dll"	527126441f127d0acc6b8b7b6cdffa51.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	527126441f127d0acc6b8b7b6cdffa51.exe

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1248	2216	527126441f127d0acc6b8b7b6cdffa51.exe	17

\Windows\SysWOW64\dadoor0.dll

Filesize
13KB

MD5
bcf07918193803a2f8ce194f5f654a13

SHA1
70def138d5389c6fd4287644fa4e429f559da915

SHA256
a9bd68186813e47a50f6c381d2132089f6661c2dbce272c85bc14233b020de23

SHA512
afdc2e037c4d36a9a972bef5513592a4a9eae7d16a36d94e275e305c05f54dce748ef7f85a753fe8407896b7aed92c842d7b6a978e3b9c13632a1861e89b9e78

Download Submit
memory/1248-5-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2216-4-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/2216-6-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download