d4b41d41e1bbbfdd370f12c58fcacbdf1127ec789bf95f28cb4ec5a4ed32cf67

General

Target

2d8db0691e6113e0b0477f27980398af.exe
Size

145KB
MD5

2d8db0691e6113e0b0477f27980398af
SHA1

4643ee76df87047e5d64a9408bd9346891d39f99
SHA256

d4b41d41e1bbbfdd370f12c58fcacbdf1127ec789bf95f28cb4ec5a4ed32cf67
SHA512

79390de1a99d8aac68d2eb82daaf11502c022adb5c5e23b21c6a06ee22a371217889fff2f16395558089fb44402643121d30c33a10d6593adefe70b0d393058b
SSDEEP

3072:XT5aGf7DZbK+u9AyCMC+5xis/W9hg42qcpi9I+BTbnE7wp:D5x3ZbK59CMC6xNihnhcpO1bI

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2288	2d8db0691e6113e0b0477f27980398af.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	2d8db0691e6113e0b0477f27980398af.exe
File created	C:\Windows\help\EB6C4499B05F.dll	2d8db0691e6113e0b0477f27980398af.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	2d8db0691e6113e0b0477f27980398af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	2d8db0691e6113e0b0477f27980398af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	2d8db0691e6113e0b0477f27980398af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	2d8db0691e6113e0b0477f27980398af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	2d8db0691e6113e0b0477f27980398af.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeBackupPrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe
Token: SeRestorePrivilege	2288	2d8db0691e6113e0b0477f27980398af.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2288	2d8db0691e6113e0b0477f27980398af.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2456	2288	2d8db0691e6113e0b0477f27980398af.exe	28
PID 2288 wrote to memory of 2456	2288	2d8db0691e6113e0b0477f27980398af.exe	28
PID 2288 wrote to memory of 2456	2288	2d8db0691e6113e0b0477f27980398af.exe	28
PID 2288 wrote to memory of 2456	2288	2d8db0691e6113e0b0477f27980398af.exe	28
PID 2288 wrote to memory of 2688	2288	2d8db0691e6113e0b0477f27980398af.exe	30
PID 2288 wrote to memory of 2688	2288	2d8db0691e6113e0b0477f27980398af.exe	30
PID 2288 wrote to memory of 2688	2288	2d8db0691e6113e0b0477f27980398af.exe	30
PID 2288 wrote to memory of 2688	2288	2d8db0691e6113e0b0477f27980398af.exe	30

C:\Users\Admin\AppData\Local\Temp\2d8db0691e6113e0b0477f27980398af.exe
"C:\Users\Admin\AppData\Local\Temp\2d8db0691e6113e0b0477f27980398af.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
197cd85aabaab9e7ec3099febd04ac71

SHA1
baa8d6d431c4d7004aa6575c165ea1e9c358d815

SHA256
dc0963f52bde5816a56982060dd504c0a3748f290b847c8f2ce7f8a43cf834e5

SHA512
69a120825b954d0c1d063fa7b42814b71d3d31b932465b837de1a5b7d91e846e815371e16d061d38da3c3676c38ba4870fc565a94fab264517c0ed66d7a617ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
62B

MD5
3f333303676037c2527fdd3763c39518

SHA1
b80d4e7ee30ee8075208f272c8f8cd7eab938ee4

SHA256
c0bcc41892a71191a6c9a17fceb99dca289ec9fcd80d984009d798e626469713

SHA512
ac47ccb467ff9c61f95d7eb84e6b1f06daea2672798c855cb3b6e00c1a10a37ee4c0e8ef03d41545fba011748bdaa81a5e01362411178732449aad19262412fb

Download Submit
\Windows\Help\EB6C4499B05F.dll

Filesize
133KB

MD5
8ad60d57953021b38708b3b0b3a25035

SHA1
b86123e54ca4687d07842e526bb068d78710a16f

SHA256
c2aa8c89a19ed1cf81b8b950bc7fcbbfeaaca1b8d6a42fda1d78085b5356d2c8

SHA512
7f0ca29ee4121f81fd10fad39030f4f4f7a0adac90746c09eae2b56c7631139f9d17943a51039362716ddbe9eb2a7467eaddca1b31abc4e8ca8ee7cc2e17de7f

Download Submit
memory/2288-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-3-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2288-11-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-24-0x0000000000360000-0x00000000003B9000-memory.dmp

Filesize
356KB

Download
memory/2288-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2288-27-0x0000000000360000-0x00000000003B9000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing