17e856bbb4c3941390b88b9d2e97c6b36335a561e6094bfddd9ffae99f11db2b

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

293fa07b20c99afaaccea1f528586146.exe
Size

77KB
MD5

293fa07b20c99afaaccea1f528586146
SHA1

ea95d2f64f67c7bfb24c5d79a0f6253dcb16b10d
SHA256

17e856bbb4c3941390b88b9d2e97c6b36335a561e6094bfddd9ffae99f11db2b
SHA512

5a9d9ec412677a149383e4cb265de4b0a813730c0cc3bcf36ffd2f37dc3d6912d4cae0e00054006bdfbd302faf16a63abda53db7d4e2e6b1b5901a090fd9ce12
SSDEEP

1536:IE3o+bEGECvZ26b0OzS3mUlKDGXdmALZ7rJXG2tpAStP9mta66uOvWq:IE37ECR2mS2UlKsga75GGrP9mD6uOvv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1492	293fa07b20c99afaaccea1f528586146.exe
1492	293fa07b20c99afaaccea1f528586146.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\HELP\F3C74E3FA248.dll	293fa07b20c99afaaccea1f528586146.exe
File opened for modification	C:\Windows\HELP\F3C74E3FA248.dll	293fa07b20c99afaaccea1f528586146.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	293fa07b20c99afaaccea1f528586146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	293fa07b20c99afaaccea1f528586146.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	293fa07b20c99afaaccea1f528586146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\HELP\\F3C74E3FA248.dll"	293fa07b20c99afaaccea1f528586146.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	293fa07b20c99afaaccea1f528586146.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1492	293fa07b20c99afaaccea1f528586146.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 5052	1492	293fa07b20c99afaaccea1f528586146.exe	88
PID 1492 wrote to memory of 5052	1492	293fa07b20c99afaaccea1f528586146.exe	88
PID 1492 wrote to memory of 5052	1492	293fa07b20c99afaaccea1f528586146.exe	88
PID 1492 wrote to memory of 4376	1492	293fa07b20c99afaaccea1f528586146.exe	100
PID 1492 wrote to memory of 4376	1492	293fa07b20c99afaaccea1f528586146.exe	100
PID 1492 wrote to memory of 4376	1492	293fa07b20c99afaaccea1f528586146.exe	100

C:\Users\Admin\AppData\Local\Temp\293fa07b20c99afaaccea1f528586146.exe
"C:\Users\Admin\AppData\Local\Temp\293fa07b20c99afaaccea1f528586146.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:5052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 2.bat
  2⤵
  PID:4376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
d70d121a97ece87a2c7008edc1a239f0

SHA1
be5e6d9ce46355d90449cdff58311be7f2d9c0cc

SHA256
ebfb27e2c8d4f3f2fcd5e8747f2383cab2d0865a93ffb9ea676030c7739964f4

SHA512
6c9f7712c66beef289c46eb1dee5bc23df605477b6fe7cd001954b2208fd39109d5241407090ca8c13f05b4a3b38f9c7bf9bcfaea02547ae4724fd45156909ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
62B

MD5
46e43e6b19bdc6570b254596627e1226

SHA1
2c5009912b5fe2298e90543c00939520eef444cf

SHA256
88e49bb0324b72c26d78ee80e43ab50dcc3c6626001a720df50e6ac8642fc54a

SHA512
5c17d52bfc995afc850293d4244189dd5c02e708373688f05e4c230f2816d438f698f5b393e2ad3691984423872e89e4fc46d5668d2ebfa3bcfe11e401970a79

Download Submit
C:\Windows\Help\F3C74E3FA248.dll

Filesize
59KB

MD5
c2304386d51bf7fb347e2c1abb847fd3

SHA1
d5baf5a57abbdeb194b12e0c098b5446e15645dd

SHA256
cada43f558a302f55c4789bf4a17b81e2b1e35494c9086ce320888c48bc4177d

SHA512
7f64a16e7a3aa78d4c990fe4d9e233cecabcc9c6aa1d034442db4f315ab46876e25e3ca3dbe9bb1caf43d3c92d0582c601d8c0e7084e3cf5a5d3b93921d381a4

Download Submit
memory/1492-3-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-13-0x0000000002280000-0x00000000022BA000-memory.dmp

Filesize
232KB

Download
memory/1492-14-0x0000000002280000-0x00000000022BA000-memory.dmp

Filesize
232KB

Download
memory/1492-15-0x0000000002280000-0x00000000022BA000-memory.dmp

Filesize
232KB

Download
memory/1492-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-19-0x0000000002280000-0x00000000022BA000-memory.dmp

Filesize
232KB

Download