70795790cc080109da55b917327e14b10644a3b182c21bccaf8d1e46a45c5923

General

Target

5ad985ff62820efb47c28d0842c013e9.exe
Size

187KB
MD5

5ad985ff62820efb47c28d0842c013e9
SHA1

aab2c70e06f2d21a4fccda861116077effc91fe5
SHA256

70795790cc080109da55b917327e14b10644a3b182c21bccaf8d1e46a45c5923
SHA512

1899db03274d5418c5aae9d171e7993f725f1a6ba837a750cb02b94b49562879a2ec99037350d5355a2ff356185f118ee2eb24e4f63bc8b6c0044c2d2c3402bd
SSDEEP

3072:baQ9XUHkqb6UR1S4d9yl6dGgNRxZ2Tfj6AkBIfkXfjqt3+QnYbpotrvajsyS:mQSPb6URXE+f7yr6AtaG5JnYbp0rv

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1592	5ad985ff62820efb47c28d0842c013e9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\help\EB6C4499B05F.dll	5ad985ff62820efb47c28d0842c013e9.exe
File opened for modification	C:\Windows\help\EB6C4499B05F.dll	5ad985ff62820efb47c28d0842c013e9.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	5ad985ff62820efb47c28d0842c013e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	5ad985ff62820efb47c28d0842c013e9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	5ad985ff62820efb47c28d0842c013e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\EB6C4499B05F.dll"	5ad985ff62820efb47c28d0842c013e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	5ad985ff62820efb47c28d0842c013e9.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeBackupPrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe
Token: SeRestorePrivilege	1592	5ad985ff62820efb47c28d0842c013e9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1592	5ad985ff62820efb47c28d0842c013e9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1888	1592	5ad985ff62820efb47c28d0842c013e9.exe	29
PID 1592 wrote to memory of 1888	1592	5ad985ff62820efb47c28d0842c013e9.exe	29
PID 1592 wrote to memory of 1888	1592	5ad985ff62820efb47c28d0842c013e9.exe	29
PID 1592 wrote to memory of 1888	1592	5ad985ff62820efb47c28d0842c013e9.exe	29
PID 1592 wrote to memory of 2968	1592	5ad985ff62820efb47c28d0842c013e9.exe	30
PID 1592 wrote to memory of 2968	1592	5ad985ff62820efb47c28d0842c013e9.exe	30
PID 1592 wrote to memory of 2968	1592	5ad985ff62820efb47c28d0842c013e9.exe	30
PID 1592 wrote to memory of 2968	1592	5ad985ff62820efb47c28d0842c013e9.exe	30

C:\Users\Admin\AppData\Local\Temp\5ad985ff62820efb47c28d0842c013e9.exe
"C:\Users\Admin\AppData\Local\Temp\5ad985ff62820efb47c28d0842c013e9.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
7085893f5a887404d65b7152dfc8d6b7

SHA1
93e07144bbd2281ffa1ef0a04593602845ba17b1

SHA256
dcf012f7d7393d3ac431c0a41fe590f29c381e2865f34b25ec465aec63276b9a

SHA512
040530bb56ede3ae5d6c34344351dad84d316a788f18a4834369d02de0a3fc31aef37e1b7449c6fc0387dd7de53c42db04543ac3b39a2c1f501d4a94a510a473

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
b49a0b36b22e0bdce7f5a56c1757edee

SHA1
fd8374727e56df4efb980c5ba3b9d6d67c51ad35

SHA256
754645a0d02504abcfaf58b6b409de99f0b50ec8b0e0626a1d20693ff523933c

SHA512
43cd78b680392befbbd66f784c7e688bdc8cf4281114ccd31ab020dabd5d1e6c00cc7176596a0a3908f6a43a019a4ce354bde4765afb612a73a89403291c3f5c

Download Submit
\Windows\Help\EB6C4499B05F.dll

Filesize
167KB

MD5
06345bafdd271eb7ed1324e9c92518dd

SHA1
9cf9ca6dc6cd4e31787ebc9edcdc418a4487b8d6

SHA256
058b977b18e76ac7c11a8a6851546a2233cc63f01284efad5fa0c505861519a9

SHA512
8319f78328dfa30207cb99307ed3d14694c2995406f24fff46a0b42ecf70a8d8725cb07e4e8646b958b8b9f01563407aa651adec3c7e742eb099a7df10d32a01

Download Submit
memory/1592-7-0x0000000000400000-0x0000000000464F58-memory.dmp

Filesize
403KB

Download
memory/1592-20-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1592-22-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download
memory/1592-23-0x0000000000400000-0x0000000000464F58-memory.dmp

Filesize
403KB

Download
memory/1592-26-0x0000000000260000-0x000000000028E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing