8d44a0f7fa736033c6511939c9a5bb57cca5dc83ed9c41ca29ff9584fb72f138

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 04:50

Target

66be26ebc5d344ffb1a8778a1e541f87.exe
Size

18KB
MD5

66be26ebc5d344ffb1a8778a1e541f87
SHA1

25ab61237ef95d51ada1136b6c75077aa1b8a928
SHA256

8d44a0f7fa736033c6511939c9a5bb57cca5dc83ed9c41ca29ff9584fb72f138
SHA512

501b1a374b170e835941dcf66fcd586e7c53337dbde7fcef5e5fcb7b75129a9a9106076d26219eab41d1cb0cb7b589c0d789ec195cd4299deb98467a7b7abd98
SSDEEP

384:dopH+h4pIfwV+zhCvdgtOnLUkmTxgEC2F2SurweYIveaqCV1rz8PadY:+pu4pTECidxTxg521eZfV1cPadY

Score

7^/10

Deletes itself 1 IoCs

pid	Process
1332	cmd.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\verclsid.exe	66be26ebc5d344ffb1a8778a1e541f87.exe
File opened for modification	C:\Windows\SysWOW64\verclsid.exe	66be26ebc5d344ffb1a8778a1e541f87.exe
File created	C:\Windows\SysWOW64\she1l32.dll	66be26ebc5d344ffb1a8778a1e541f87.exe
File created	C:\Windows\SysWOW64\9c4cdc3e.dll	66be26ebc5d344ffb1a8778a1e541f87.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32	66be26ebc5d344ffb1a8778a1e541f87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	66be26ebc5d344ffb1a8778a1e541f87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	66be26ebc5d344ffb1a8778a1e541f87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}	66be26ebc5d344ffb1a8778a1e541f87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\InProcServer32\ = "she1l32.dll"	66be26ebc5d344ffb1a8778a1e541f87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C98017BE-9D7D-4008-8B8E-8EA25601155B}	66be26ebc5d344ffb1a8778a1e541f87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C98017BE-9D7D-4008-8B8E-8EA25601155B}\{73774159-DFF1-417B-A431-F551CA06DEA2} = "9c4cdc3e.dll"	66be26ebc5d344ffb1a8778a1e541f87.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1332	2028	66be26ebc5d344ffb1a8778a1e541f87.exe	28
PID 2028 wrote to memory of 1332	2028	66be26ebc5d344ffb1a8778a1e541f87.exe	28
PID 2028 wrote to memory of 1332	2028	66be26ebc5d344ffb1a8778a1e541f87.exe	28
PID 2028 wrote to memory of 1332	2028	66be26ebc5d344ffb1a8778a1e541f87.exe	28

C:\Users\Admin\AppData\Local\Temp\66be26ebc5d344ffb1a8778a1e541f87.exe
"C:\Users\Admin\AppData\Local\Temp\66be26ebc5d344ffb1a8778a1e541f87.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\del1065.bat
  2⤵
  - Deletes itself
  PID:1332

C:\Users\Admin\AppData\Local\Temp\del1065.bat

Filesize
395B

MD5
76e61fbb9282c527e145ecaa148a3f48

SHA1
00c008d3c136802e6c0aa67090bacf25290deea6

SHA256
6c9a900990fefa50fc09e98f70a0f7027327926041cdb1444f549afe2c025876

SHA512
27484489f907f6488141643f82de853731f7cee453cd385aa04c320e11de17cacedb9cdad6284daad8bd3044439dbb3c10b79d2fcd48eb7bf5a9c556ef3eccf9

Download Submit