8969e2c35ac81a95d5eae18513a0351dcb0c9f667d13abc08ecf75edc4ced6c1

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2024, 01:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

71170969654b6185e2e25859b0e76c81.exe
Size

381KB
MD5

71170969654b6185e2e25859b0e76c81
SHA1

88c1f2495f196e53708eb79be430da8e08b62e74
SHA256

8969e2c35ac81a95d5eae18513a0351dcb0c9f667d13abc08ecf75edc4ced6c1
SHA512

b87fb33b1c3bedb93bcd4374014a1b55281f35aa4d58ec7042c055b92b7d30fdf064fb62bc770e95aa91ba7aa95519089bc2bd388a153e58be5779beed72e303
SSDEEP

6144:WH0fYrE5kbUyCF9d0xUhoqD2eRwqqccbvmbqmIuXlYHtNEwx/cz8DqyAtAgYWE:WHUYrUwiFLIUCqJxkPml1okwmg9AtAFW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1104	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	71170969654b6185e2e25859b0e76c81.exe
File opened for modification	C:\Windows\svchost.exe	71170969654b6185e2e25859b0e76c81.exe
File created	C:\Windows\uninstal.bat	71170969654b6185e2e25859b0e76c81.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	71170969654b6185e2e25859b0e76c81.exe
Token: SeDebugPrivilege	1104	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1104	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 1176	4664	71170969654b6185e2e25859b0e76c81.exe	91
PID 4664 wrote to memory of 1176	4664	71170969654b6185e2e25859b0e76c81.exe	91
PID 4664 wrote to memory of 1176	4664	71170969654b6185e2e25859b0e76c81.exe	91
PID 1104 wrote to memory of 3540	1104	svchost.exe	90
PID 1104 wrote to memory of 3540	1104	svchost.exe	90

C:\Users\Admin\AppData\Local\Temp\71170969654b6185e2e25859b0e76c81.exe
"C:\Users\Admin\AppData\Local\Temp\71170969654b6185e2e25859b0e76c81.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\uninstal.bat
  2⤵
  PID:1176

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:3540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe

Filesize
381KB

MD5
71170969654b6185e2e25859b0e76c81

SHA1
88c1f2495f196e53708eb79be430da8e08b62e74

SHA256
8969e2c35ac81a95d5eae18513a0351dcb0c9f667d13abc08ecf75edc4ced6c1

SHA512
b87fb33b1c3bedb93bcd4374014a1b55281f35aa4d58ec7042c055b92b7d30fdf064fb62bc770e95aa91ba7aa95519089bc2bd388a153e58be5779beed72e303

Download Submit
C:\Windows\uninstal.bat

Filesize
190B

MD5
7a36773187348219976caf379b763165

SHA1
3b49ef9ead63dcffa8f7401de757d09bafce86f0

SHA256
4aca2daea3a5336e858a2871f53f2d8211ca2dea04baa947c8e1ae2c521d1827

SHA512
eec4b035212bcd55c7935781ff1e5e14c623f6d85f5a9e7f4d005e9bf02a56491077f50f4add3624fb5daf218b541c0f799a38d4f1d6a65ede4419f9e03db1c6

Download Submit
memory/1104-7-0x0000000001100000-0x0000000001102000-memory.dmp

Filesize
8KB

Download
memory/1104-10-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/1104-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1104-14-0x0000000001100000-0x0000000001102000-memory.dmp

Filesize
8KB

Download
memory/1104-15-0x0000000001130000-0x0000000001131000-memory.dmp

Filesize
4KB

Download
memory/4664-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4664-1-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download
memory/4664-2-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/4664-11-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download