91c691587669ebd77a691d41c5855444ee5e97c2911a6e9d7078d7154a21af6f

General

Target

3de87216ceeaefaa9ce85ccc9aefdc91.exe
Size

182KB
MD5

3de87216ceeaefaa9ce85ccc9aefdc91
SHA1

a55efe5eeee8b6a002463e25945ee605bc9e1522
SHA256

91c691587669ebd77a691d41c5855444ee5e97c2911a6e9d7078d7154a21af6f
SHA512

f4b53d6fd398863ca41ea432a3817aa9d0fb9d03ff36e64c9239c62cceac28543359e50d0e03fb4d73cfff99eb3d9760ebfad3b298be35d28808918f14aca6ec
SSDEEP

3072:59p/J66qEkcJnovN4Ar8o8R7nU3tKl4YkIXfig/HPzyLhNRlZF9a:Rc6OcJovNZrZOZBlXfZHPUlda

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\B41346EFA848.dll	3de87216ceeaefaa9ce85ccc9aefdc91.exe
File opened for modification	C:\Windows\help\B41346EFA848.dll	3de87216ceeaefaa9ce85ccc9aefdc91.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	3de87216ceeaefaa9ce85ccc9aefdc91.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeBackupPrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe
Token: SeRestorePrivilege	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2184	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	28
PID 2384 wrote to memory of 2184	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	28
PID 2384 wrote to memory of 2184	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	28
PID 2384 wrote to memory of 2184	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	28
PID 2384 wrote to memory of 2836	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	30
PID 2384 wrote to memory of 2836	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	30
PID 2384 wrote to memory of 2836	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	30
PID 2384 wrote to memory of 2836	2384	3de87216ceeaefaa9ce85ccc9aefdc91.exe	30

C:\Users\Admin\AppData\Local\Temp\3de87216ceeaefaa9ce85ccc9aefdc91.exe
"C:\Users\Admin\AppData\Local\Temp\3de87216ceeaefaa9ce85ccc9aefdc91.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
0721eb8e00fa7109d5ddb88eceb2de77

SHA1
56fc78cb85eb19d63f1bbd98ffec96b148295658

SHA256
913bc14699298890a54bba426af5d937e072a426ee5b2fbfa91e0b9ccd17c2ee

SHA512
ac81452a2e5a5cd5b86963ffe5310f65239ebcc32f11fe731f37dabb2cfc938476fc5fce47a0fc287d0f8e622f6cea8ef264b26ae79c28d9af82f6711fbc9614

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
62B

MD5
d1e2f8a61226bad0565f9cee05b936ee

SHA1
43e98474e6cdcb9264d47d2b87e9ffec688dbc46

SHA256
a476ed4a9df4b6f2a35e735f308c6419cc1bc2789e587beb723a1d3c4939ac5a

SHA512
43a29f4bec3ce7c9685c6e2cdfbabd63ad1c6f3ad09ced145f248cacbe305a055de8598d07337b580a3a6d5fadd69d1d21466627e7c2c2b1e5e15b5718cc80e2

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
124KB

MD5
30e955c3e80314880a647798ef91d49c

SHA1
fcfbdf4ccd73815a11720d5c14583370d413b9a3

SHA256
52b53510741441465cae72e384f30885212148294034e7c969f3ddf5a7dc141c

SHA512
dfcf2304fb533b263f77a8181133e7dee6bd3aa398e7b3e43f99279ae74b93e843e0e34994e1699aa2dae291077f10c2780136dfa6dfd4d9ea781f2de19d39d1

Download Submit
memory/2384-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2384-21-0x0000000001E40000-0x0000000001E91000-memory.dmp

Filesize
324KB

Download
memory/2384-22-0x0000000001E40000-0x0000000001E91000-memory.dmp

Filesize
324KB

Download
memory/2384-23-0x0000000001E40000-0x0000000001E91000-memory.dmp

Filesize
324KB

Download
memory/2384-24-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2384-25-0x0000000001E40000-0x0000000001E91000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing