bc10a209f66cfacdca83b3dd9dac9219d5efa0a3a66074e32f6d558f3a59c26a

General

Target

129fc279f95f5e60709058cb3e052d3d.exe
Size

130KB
MD5

129fc279f95f5e60709058cb3e052d3d
SHA1

3517311341c9b22936d7d725c4c3d5aed3e2415a
SHA256

bc10a209f66cfacdca83b3dd9dac9219d5efa0a3a66074e32f6d558f3a59c26a
SHA512

175261f985d1282dcbbd360fdd0d04e5e80eca3be166cfc86fe2a0a7f0b579c2f0b20f05c23fdb9d92e9ab6813d645d0527c769ee8c9699f3e0455c51f181af6
SSDEEP

3072:q4ohdiJYwBfj8c5G1NxSvlgfo+mw/OhCvSMWttEBnpiJ:7P1j8c5G4dKiw/lJC

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1244	129fc279f95f5e60709058cb3e052d3d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	129fc279f95f5e60709058cb3e052d3d.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	129fc279f95f5e60709058cb3e052d3d.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	129fc279f95f5e60709058cb3e052d3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	129fc279f95f5e60709058cb3e052d3d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	129fc279f95f5e60709058cb3e052d3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	129fc279f95f5e60709058cb3e052d3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	129fc279f95f5e60709058cb3e052d3d.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeBackupPrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe
Token: SeRestorePrivilege	1244	129fc279f95f5e60709058cb3e052d3d.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1244	129fc279f95f5e60709058cb3e052d3d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2948	1244	129fc279f95f5e60709058cb3e052d3d.exe	15
PID 1244 wrote to memory of 2948	1244	129fc279f95f5e60709058cb3e052d3d.exe	15
PID 1244 wrote to memory of 2948	1244	129fc279f95f5e60709058cb3e052d3d.exe	15
PID 1244 wrote to memory of 2948	1244	129fc279f95f5e60709058cb3e052d3d.exe	15
PID 1244 wrote to memory of 2744	1244	129fc279f95f5e60709058cb3e052d3d.exe	30
PID 1244 wrote to memory of 2744	1244	129fc279f95f5e60709058cb3e052d3d.exe	30
PID 1244 wrote to memory of 2744	1244	129fc279f95f5e60709058cb3e052d3d.exe	30
PID 1244 wrote to memory of 2744	1244	129fc279f95f5e60709058cb3e052d3d.exe	30

C:\Users\Admin\AppData\Local\Temp\129fc279f95f5e60709058cb3e052d3d.exe
"C:\Users\Admin\AppData\Local\Temp\129fc279f95f5e60709058cb3e052d3d.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
e533642619b3d7a825a8af4a7891ebc0

SHA1
db4b4872cdcf032f52ac99b846f8106e09a9d10f

SHA256
8a5acaedb3906baa4b576a19daa833e48d9a3327596900bf2c18831cebc745e7

SHA512
edfa8ce119048d182d8fea748c4622e6f71687a29444424df052fadcf0a8009bb8219c9686785749079d9e02e06d0ef3b0dcbac3c787473e62e0dfd28091085c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
62B

MD5
d1e2f8a61226bad0565f9cee05b936ee

SHA1
43e98474e6cdcb9264d47d2b87e9ffec688dbc46

SHA256
a476ed4a9df4b6f2a35e735f308c6419cc1bc2789e587beb723a1d3c4939ac5a

SHA512
43a29f4bec3ce7c9685c6e2cdfbabd63ad1c6f3ad09ced145f248cacbe305a055de8598d07337b580a3a6d5fadd69d1d21466627e7c2c2b1e5e15b5718cc80e2

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
117KB

MD5
e4e1626419fba84759a2448d184ac3d4

SHA1
3231f947994b1a0be6b7eab110c940e24c422afe

SHA256
504cde72c802ac1835979ea7e3145742b8df308ce37dc1d355199308d02153a7

SHA512
e40f92421dc76962dcc7bc6d32ce684e9afa4ea2c1587116c0515f28a504aacf9791e92f578d109c96beb5ea59610620655da35998e2ceac12562bf3916dda66

Download Submit
memory/1244-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-9-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1244-25-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download
memory/1244-24-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download
memory/1244-26-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-28-0x0000000000380000-0x00000000003D0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing