eb069e038c957e564354e29041494ba33a63b6ce171b87585d1b714a7bdd2094

Analysis

max time kernel
146s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

171dfc58c4bf72784a8db574c2df5539.exe
Size

22KB
MD5

171dfc58c4bf72784a8db574c2df5539
SHA1

19bdb77c53bed7ecb9d5c5cff274116cd97e8f08
SHA256

eb069e038c957e564354e29041494ba33a63b6ce171b87585d1b714a7bdd2094
SHA512

01bb89cd538a4a2fcb8099ddaabc99aa651eb7a0e3ff821415ff45a7e715258dac468a06dd4e1890af28a9c569868875cfb0fa885a8cd139ade32e4be6fdad1a
SSDEEP

384:ysfdaO4XrYC4wDgG/BXMBKlEyo7df854uC33qNT3qMbGgjYNLt1MVNvkJgZJJJAJ:jIfrYC4wDgyCuHsa5WELfjYtwHpJ/Acm

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
4180	171dfc58c4bf72784a8db574c2df5539.exe
4180	171dfc58c4bf72784a8db574c2df5539.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ddserh.dll	171dfc58c4bf72784a8db574c2df5539.exe
File created	C:\Windows\SysWOW64\tf0	171dfc58c4bf72784a8db574c2df5539.exe
File opened for modification	C:\Windows\SysWOW64\ddserh.dll.LoG	171dfc58c4bf72784a8db574c2df5539.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\ = "MICROSOFT"	171dfc58c4bf72784a8db574c2df5539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32\ = "C:\\Windows\\SysWow64\\ddserh.dll"	171dfc58c4bf72784a8db574c2df5539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32\ThreadingModel = "Apartment"	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}\InProcServer32	171dfc58c4bf72784a8db574c2df5539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A9895933-6636-4281-BC58-EE6DE2AF96E3}	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS	171dfc58c4bf72784a8db574c2df5539.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS	171dfc58c4bf72784a8db574c2df5539.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4180	171dfc58c4bf72784a8db574c2df5539.exe
4180	171dfc58c4bf72784a8db574c2df5539.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	4180	171dfc58c4bf72784a8db574c2df5539.exe
Token: SeRestorePrivilege	4180	171dfc58c4bf72784a8db574c2df5539.exe
Token: SeBackupPrivilege	4180	171dfc58c4bf72784a8db574c2df5539.exe
Token: SeRestorePrivilege	4180	171dfc58c4bf72784a8db574c2df5539.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4180	171dfc58c4bf72784a8db574c2df5539.exe
4180	171dfc58c4bf72784a8db574c2df5539.exe
4180	171dfc58c4bf72784a8db574c2df5539.exe

C:\Users\Admin\AppData\Local\Temp\171dfc58c4bf72784a8db574c2df5539.exe
"C:\Users\Admin\AppData\Local\Temp\171dfc58c4bf72784a8db574c2df5539.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ddserh.dll

Filesize
262KB

MD5
e346f3887c8533cec242826adf61b591

SHA1
99f7baafe403546d1f7f7129c8d690da1156ea6c

SHA256
ce4f3c95dec66e3450a9465399458c094b272afafbbe18242b6918d90dbbb32e

SHA512
312d5fb3ef8c5e6fc37f3177e58f0f5c91c8882740476110afd646222e404c0b15534f91b73e8e9403c82e4c5afe3a63a68038b9aa1b33bbea908b80da08dbd8

Download Submit
memory/4180-4-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/4180-8-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download