1a71998a2d8294f2d39c65dfb3cdfa9907fc003d279c6945036e882a75a0bf80

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 12:35

Target

18b3ca475939fc61311522ee0b055bc3.exe
Size

73KB
MD5

18b3ca475939fc61311522ee0b055bc3
SHA1

396d7483bf5ba9a2ac2653502374385bcd4d485a
SHA256

1a71998a2d8294f2d39c65dfb3cdfa9907fc003d279c6945036e882a75a0bf80
SHA512

7e297807d023ba835ca8fa881c9155f9f476bf7a2cedce05e99a61c2e8f73800385ff633909e0afa5fd4272f73e22e261361282b7bdcb0cc02ac66ca829247e3
SSDEEP

1536:M45qN1KjKmrKgPgYFnCutHtoy8rb1K+OCctxoXx09vWTA4j:M/Lf0BgYCu3oy8f1rdxiq

Score

7^/10

Loads dropped DLL 2 IoCs

pid	Process
972	18b3ca475939fc61311522ee0b055bc3.exe
972	18b3ca475939fc61311522ee0b055bc3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Debug\B831406A9770.dll	18b3ca475939fc61311522ee0b055bc3.exe
File opened for modification	C:\Windows\Debug\B831406A9770.dll	18b3ca475939fc61311522ee0b055bc3.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\ = "fsvdf"	18b3ca475939fc61311522ee0b055bc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32	18b3ca475939fc61311522ee0b055bc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ = "C:\\Windows\\Debug\\B831406A9770.dll"	18b3ca475939fc61311522ee0b055bc3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}\InProcServer32\ThrEaDiNgModEL = "aPaRTmEnT"	18b3ca475939fc61311522ee0b055bc3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{291FABA8-CB00-488C-AC9E-B457FFC4A117}	18b3ca475939fc61311522ee0b055bc3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
972	18b3ca475939fc61311522ee0b055bc3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 760	972	18b3ca475939fc61311522ee0b055bc3.exe	88
PID 972 wrote to memory of 760	972	18b3ca475939fc61311522ee0b055bc3.exe	88
PID 972 wrote to memory of 760	972	18b3ca475939fc61311522ee0b055bc3.exe	88
PID 972 wrote to memory of 4056	972	18b3ca475939fc61311522ee0b055bc3.exe	100
PID 972 wrote to memory of 4056	972	18b3ca475939fc61311522ee0b055bc3.exe	100
PID 972 wrote to memory of 4056	972	18b3ca475939fc61311522ee0b055bc3.exe	100

C:\Users\Admin\AppData\Local\Temp\18b3ca475939fc61311522ee0b055bc3.exe
"C:\Users\Admin\AppData\Local\Temp\18b3ca475939fc61311522ee0b055bc3.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4056

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
41B

MD5
ba7fbc1af9676442d6da5bdb5afe813c

SHA1
151f5f221a3e02f9e51a8cb20495416b79da4c04

SHA256
ffac204151edc4de9316c4416df635cd0d68a1d4b33125e6bf32209b0f879816

SHA512
94338b36552b9b5f9772b735ebfb8dce8d750ce3c81996f2cd052d0f1e0d9010366d6b711340356506f81d4cd875c8cb0ee71ab0d5c77e22ab9d98893cc70edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
52B

MD5
79f485589be6c5807d897f83641c45f5

SHA1
cf89f8962cbb25c0a22949e6956b2f7340680f59

SHA256
7ac89c9449bb50e781081d1bee95b39f786553f79ae651638097748f926ff2ec

SHA512
409cf520741545b8674b9a2164741a0a1b00057162ee084f02e0752880995df7494ba1cbc8fedb30cae21c42b8d16cb28d9063d915732c967fdacae12b732278

Download Submit
C:\Windows\debug\B831406A9770.dll

Filesize
154KB

MD5
b64ff801a74df49fadf9f2baa7a19e06

SHA1
e682ae45389e0733c9d61eaf2397b861b578fb01

SHA256
8823c0a3ae158ed3ed72141d1d5e622da4edfe15332f8fcf68492f14bc9ff42c

SHA512
60cf342dedad85b09e4eab2330ad5bead74b883eea8c93902c6cf634747185f2c62119dd051574a998718cda534c5afcdf428c68de0384424bb632f4c8625efd

Download Submit
memory/972-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/972-11-0x00000000005A0000-0x00000000005CB000-memory.dmp

Filesize
172KB

Download
memory/972-15-0x00000000005A0000-0x00000000005CB000-memory.dmp

Filesize
172KB

Download
memory/972-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download