c6e9d25141b540090680698130a801987321f1ef29fa10fbbcf50fd640380f0f

Analysis

max time kernel
8s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 02:29

Target

247f965412d63d354bef7362057fec0f.exe
Size

177KB
MD5

247f965412d63d354bef7362057fec0f
SHA1

b1402e2b60c28585b2e331ee8cda9c3c2fbc1ff6
SHA256

c6e9d25141b540090680698130a801987321f1ef29fa10fbbcf50fd640380f0f
SHA512

e10b9b80db2e5c5922a1afa387dc102dbc226f925b1cbb6db8a1a328cf301c36b31fc025ff0d462f11c50dea6c17ba53bf82e0ed124bc6268b203782d3b43b13
SSDEEP

3072:ORB7Hs/19xRSY6H53Y2+6Ul5+TQUpWDE/qg1DunsEgCMFSIm28WkBA:OaRSdH53Y2nQYHs4XasEghFSI98g

Score

5^/10

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\2.txt	247f965412d63d354bef7362057fec0f.exe
File created	C:\Windows\SysWOW64\1.txt	247f965412d63d354bef7362057fec0f.exe
File opened for modification	C:\Windows\SysWOW64\1.txt	247f965412d63d354bef7362057fec0f.exe

Kills process with taskkill 3 IoCs

evasion

Runs .reg file with regedit 1 IoCs

pid	Process
2928	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4536	4072	247f965412d63d354bef7362057fec0f.exe	95
PID 4072 wrote to memory of 4536	4072	247f965412d63d354bef7362057fec0f.exe	95
PID 4072 wrote to memory of 4536	4072	247f965412d63d354bef7362057fec0f.exe	95
PID 4072 wrote to memory of 3048	4072	247f965412d63d354bef7362057fec0f.exe	93
PID 4072 wrote to memory of 3048	4072	247f965412d63d354bef7362057fec0f.exe	93
PID 4072 wrote to memory of 3048	4072	247f965412d63d354bef7362057fec0f.exe	93
PID 4072 wrote to memory of 4504	4072	247f965412d63d354bef7362057fec0f.exe	92
PID 4072 wrote to memory of 4504	4072	247f965412d63d354bef7362057fec0f.exe	92
PID 4072 wrote to memory of 4504	4072	247f965412d63d354bef7362057fec0f.exe	92

C:\Users\Admin\AppData\Local\Temp\247f965412d63d354bef7362057fec0f.exe
"C:\Users\Admin\AppData\Local\Temp\247f965412d63d354bef7362057fec0f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im internat.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\247f965412d63d354bef7362057fec0f.exe
  C:\Users\Admin\AppData\Local\Temp\247f965412d63d354bef7362057fec0f.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im iResearchiClick.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /im internat.exe /f
  2⤵
  - Kills process with taskkill
  PID:640
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe win32.dll /s
  2⤵
  PID:492
- C:\Windows\SysWOW64\regedit.exe
  regedit /s C:\1.reg
  2⤵
  - Runs .reg file with regedit
  PID:2928

C:\1.reg

Filesize
171B

MD5
9c1ad5b79dc21535a9627147ebf9ce27

SHA1
3d3331573910fcb4233a8fd141e4fe3034f89979

SHA256
11443d65275950210990bc35f45dbe404005b37adb9b34bfca4ef97491bda1fb

SHA512
eba39f3d8f2930f2566ff5cda27c3a809f889b5885e2c20c16c048057c0d3d78412d101d116ae27e9f92400d37bb4c0dc81c3c07f63f40f89773cb4f723e9fa6

Download Submit
C:\Program Files\Winpows Publke\services.exe.txt

Filesize
10KB

MD5
20316d2de29e5a9f4ceb15ace8e0c9c9

SHA1
0dc41d862183a9dd1145b9bd5b2fa1887120ccfc

SHA256
1825056615803cfe4ae7982bba09d6e810e008c62b43f4e82bcbdecc185c8abe

SHA512
5f1d8afc7f0257b0193ce8d9096d76e04a5614785e28d4472632679f5f7ed6a85d7bb817098188be1b2f15d3b14ccd267dcdee04f02bfbd7ecd2cde57c3adb10

Download Submit
C:\Windows\SysWOW64\win32.dll

Filesize
24KB

MD5
dfc09af925fd425640cb7e01ccaa0bbe

SHA1
c3ca79b9b1a5fe8f4e1ac0d8f2f86ec95038b7e5

SHA256
4ad441211dc677c748099b2a776411541c18565407ec6abbc4289593ff33db3f

SHA512
7e05ad89ae1b576819fe61008d04c01be307447d41ca98b92d9acf0802789ca5039dd7c0a7f0ebe7c20086c2041b97dd916a81a695f925aa7d2e33c81bd24538

Download Submit
C:\Windows\SysWOW64\win32.dll

Filesize
1KB

MD5
6ac2846e4ee57ec477882b8ca0b5f7cb

SHA1
a1b55aeda273e60796b741229901eb792f5117f9

SHA256
6eed576b052940de678a57c3ebe3df24c81ce0898bec4e7f08524685b3225008

SHA512
37b45e76e5267e0015e21df0d61e432e69577f376f9cf218ee10a088f3a88001581b802edbac0a9aa575fa99a3316928b2804a91ecec7deedd4e9d1ffb944ca3

Download Submit