336be3a20ae8a36962ffd26b1ec7fb0ec2274a860dd9423b16ff817d29f1908a

Analysis

max time kernel
144s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Target

93dc1dee6b92da2fe38858162e039eb54ce5e109286432cb3a55c06818eff61a.chm
Size

20KB
MD5

d0f8b99970cbe34b5fe6492d66340edf
SHA1

05953d775679f3effed1cbeb429218797899a62d
SHA256

93dc1dee6b92da2fe38858162e039eb54ce5e109286432cb3a55c06818eff61a
SHA512

718b8dd293806ee92f43f560dac3ebc48d27f7483b97aacd13f17b83e13e251d7e2d10b5f98f1ec61b3536d9de49e7ab09050d75d227429bcaaffbed1bdc8121
SSDEEP

384:gpabv3H87wzhdfl5COJNnZf1l4StghfeTqKrLWj:gpytzhdflQOJ3fwSasp2

Score

10^/10

Language

ps1

Deobfuscated

URLs

exe.dropper

http://188.241.58.24/zae/br.css

Blocklisted process makes network request 1 IoCs

flow	pid	Process
11	1440	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5004	hh.exe
5004	hh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 1976	5004	hh.exe	22
PID 5004 wrote to memory of 1976	5004	hh.exe	22
PID 1976 wrote to memory of 1440	1976	cmd.exe	23
PID 1976 wrote to memory of 1440	1976	cmd.exe	23

memory/1440-16-0x00007FFB2C680000-0x00007FFB2D141000-memory.dmp

Filesize
10.8MB

Download
memory/1440-18-0x00000221B9040000-0x00000221B9050000-memory.dmp

Filesize
64KB

Download
memory/1440-17-0x00000221B9040000-0x00000221B9050000-memory.dmp

Filesize
64KB

Download
memory/1440-6-0x00000221B9000000-0x00000221B9022000-memory.dmp

Filesize
136KB

Download
memory/1440-21-0x00007FFB2C680000-0x00007FFB2D141000-memory.dmp

Filesize
10.8MB

Download